Debian 8 and Ubuntu 14.04 LTS Install Suhosin PHP Extension To Protect Your Server

S

uhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. How can I install suhosin extension on a Debian v8.x or Ubuntu Linux 14.04 LTS server?

 

Suhosin (Korean ìˆ˜í˜¸ì‹ , meaning guardian-angel) is used to securing PHP web applications such as WordPress and others. Suhosin comes as the extension and the patch. Both parts can be installed separately and have no dependencies to each other.

How To Installing Suhosin on Debian and Ubuntu [Binary Method]

Type the following command on a Ubuntu Linux 14.04 LTS server:

sudo -s

echo  deb http://repo.suhosin.org/ ubuntu-trusty main  >> /etc/apt/sources.list

apt-get update

Debian Linux 8.x user type the following command:

sudo -s

echo  deb http://repo.suhosin.org/ debian-jessie main  >> /etc/apt/sources.list

apt-get update

Sample outputs:

Ign http://security.ubuntu.com trusty-security InRelease

Get:1 http://security.ubuntu.com trusty-security Release.gpg [933 B]

Get:2 http://security.ubuntu.com trusty-security Release [63.5 kB]

Ign http://archive.ubuntu.com trusty InRelease

Ign http://archive.ubuntu.com trusty-updates InRelease

Get:3 http://security.ubuntu.com trusty-security/main amd64 Packages [319 kB]

Hit http://archive.ubuntu.com trusty Release.gpg

Ign http://repo.suhosin.org ubuntu-trusty InRelease

Get:4 http://security.ubuntu.com trusty-security/restricted amd64 Packages [8,875 B]

Get:5 http://security.ubuntu.com trusty-security/universe amd64 Packages [111 kB]

Get:6 http://archive.ubuntu.com trusty-updates Release.gpg [933 B]

Get:7 http://security.ubuntu.com trusty-security/multiverse amd64 Packages [3,683 B]

Get:8 http://repo.suhosin.org ubuntu-trusty Release.gpg [816 B]

Get:9 http://security.ubuntu.com trusty-security/main Translation-en [172 kB]

Hit http://archive.ubuntu.com trusty Release

Get:10 http://repo.suhosin.org ubuntu-trusty Release [1,074 B]

Get:11 http://archive.ubuntu.com trusty-updates Release [63.5 kB]

Get:12 http://repo.suhosin.org ubuntu-trusty/main amd64 Packages [722 B]

Hit http://security.ubuntu.com trusty-security/multiverse Translation-en

Hit http://archive.ubuntu.com trusty/main amd64 Packages

Hit http://security.ubuntu.com trusty-security/restricted Translation-en

Hit http://security.ubuntu.com trusty-security/universe Translation-en

Hit http://archive.ubuntu.com trusty/restricted amd64 Packages

Hit http://archive.ubuntu.com trusty/universe amd64 Packages

Hit http://archive.ubuntu.com trusty/multiverse amd64 Packages

Hit http://archive.ubuntu.com trusty/main Translation-en

Hit http://archive.ubuntu.com trusty/multiverse Translation-en

Ign http://repo.suhosin.org ubuntu-trusty/main Translation-en_US

Hit http://archive.ubuntu.com trusty/restricted Translation-en

Ign http://repo.suhosin.org ubuntu-trusty/main Translation-en

Hit http://archive.ubuntu.com trusty/universe Translation-en

Get:13 http://archive.ubuntu.com trusty-updates/main amd64 Packages [584 kB]

Get:14 http://archive.ubuntu.com trusty-updates/restricted amd64 Packages [11.8 kB]

Get:15 http://archive.ubuntu.com trusty-updates/universe amd64 Packages [297 kB]

Get:16 http://archive.ubuntu.com trusty-updates/multiverse amd64 Packages [12.0 kB]

Hit http://archive.ubuntu.com trusty-updates/main Translation-en

Hit http://archive.ubuntu.com trusty-updates/multiverse Translation-en

Hit http://archive.ubuntu.com trusty-updates/restricted Translation-en

Hit http://archive.ubuntu.com trusty-updates/universe Translation-en

Ign http://archive.ubuntu.com trusty/main Translation-en_US

Ign http://archive.ubuntu.com trusty/multiverse Translation-en_US

Ign http://archive.ubuntu.com trusty/restricted Translation-en_US

Ign http://archive.ubuntu.com trusty/universe Translation-en_US

Fetched 1,651 kB in 6s (250 kB/s)

Reading package lists… Done

The repository suhosin.org is signed with key, so install it with wget command:

Run as root user ##

wget https://sektioneins.de/files/repository.asc

sudo apt-key add repository.asc

Sample outputs:

Fig.01: Installing key

 

Next, type the following apt-get command to install the php5-suhosin-extension package, run:

sudo apt-get install php5-suhosin-extension

Sample outputs:

Fig.02: Installing php5-suhosin-extension package

Enable the php5-suhosin-extension

sudo php5enmod php5-suhosin

Restart php5-fpm on a Ubuntu LTS 14.04

sudo /sbin/restart php5-fpm

Restart php5-fpm on a Debian Linux 8.0

sudo systemctl restart php5-fpm

Test it

Create a file called test.php:

sudo vi /var/www/test.php

Append the following code:

<?php

phpinfo();

?>

Save and close the file. You can open the Browser and type the following url:

http://server-ip-here/test.php

 

OR

http://1.2.3.4/test.php

 

Sample outputs:

Fig.03: Suhosin enabled on server

Configuration

You need to edit the file /etc/php5/mods-available/suhosin.ini, enter:

# vi /etc/php5/mods-available/suhosin.ini

 

You can see comma separated whitelist of functions are not allowed to be called:

suhosin.executor.func.blacklist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand

suhosin.executor.eval.whitelist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand

Save and close the file. You need to restart php5-fpm. I suggest you see the configuration page for a complete list of possible configuration options.