Sunday, February 5, 2012

Adding More Protection Layer on PHP

PHP is a well known and popular programming language that has been considered mature for years. It has a big community behind the stage and it's been used in most websites due to it's nature of being an open source project and widely supported by many Linux distributions.

Unfortunately, lately, they have been struggling to work with their security problems and even with Stefan Esser's help to improve the project, their ego was too high, so they ignored some of his proposal to improve PHP's security core. At the end, Stefan released Suhosin project to help users to get the better PHP service from the security point of view.

I always installed Suhosin on my servers since lately, PHP has changed it's way of rolling releases and it's not as often as it used to be. Some critical fixes are in pending for months until it's rolled out to users and sometimes, it's kinda late to prevent exploits coming around.

There are two ways of installing Suhosin. The first one comes as a PHP patch which will be used against PHP source code prior compilation and the second option come as an extension. If you plan to compile your first PHP and release it as a bundle, it's better for you to pick the first option as it will patch PHP directly into the source. However, sometimes you have your PHP up and running and you want to add additional security layer on top of it and that's when the second option is preferred.

Here's how you compile and install Suhosin on top of running PHP
  • Download the latest release of Suhosin Extension
  • Extract the package (tar -xzvf suhosin-0.9.33.tgz)
  • Change to suhosin directory (cd suhosin-0.9.33)
  • Ran the magic command (phpize; ./configure; make;)
  • Install the package using root account (make install
  • Add this line into your php.ini file (
  • Add the appropriate location of the module in extension_dir variable in php.ini
  • Restart your Apache (/etc/rc.d/rc.httpd restart)
  • Confirm your PHP is protected by Suhosin (php -v)
  • If you ran the phpinfo() function, you will get something like this