Home | 简体中文 | 繁体中文 | 杂文 | Search | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 作品与服务 | Email

5.15. Suhosin

		
Step of installation for Suhosin:
1. Download suhosin and install it
#cd /usr/local/
#wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.18.tgz
#tar -zxvf suhosin-0.9.18.tgz
#cd suhosin-0.9.18
#phpize
#./configure
#make && make install
2. Adding a load directive to php.ini
extension=suhosin.so
[suhosin]
suhosin.get.max_value_length = 5120
3. Restart apache service
#/etc/init.d/httpd restart
		
		

Configuration

Logging Configuration
suhosin.log.syslog
suhosin.log.syslog.facility
suhosin.log.syslog.priority
suhosin.log.sapi
suhosin.log.script
suhosin.log.phpscript
suhosin.log.script.name
suhosin.log.phpscript.name
suhosin.log.use-x-forwarded-for
Executor Options
suhosin.executor.max_depth
suhosin.executor.include.max_traversal
suhosin.executor.include.whitelist
suhosin.executor.include.blacklist
suhosin.executor.func.whitelist
suhosin.executor.func.blacklist
suhosin.executor.eval.whitelist
suhosin.executor.eval.blacklist
suhosin.executor.disable_eval
suhosin.executor.disable_emodifier
suhosin.executor.allow_symlink
Misc Options
suhosin.simulation
suhosin.apc_bug_workaround
suhosin.sql.bailout_on_error
suhosin.sql.user_prefix
suhosin.sql.user_postfix
suhosin.multiheader
suhosin.mail.protect
suhosin.memory_limit
Transparent Encryption Options
suhosin.session.encrypt
suhosin.session.cryptkey
suhosin.session.cryptua
suhosin.session.cryptdocroot
suhosin.session.cryptraddr
suhosin.session.checkraddr
suhosin.cookie.encrypt
suhosin.cookie.cryptkey
suhosin.cookie.cryptua
suhosin.cookie.cryptdocroot
suhosin.cookie.cryptraddr
suhosin.cookie.checkraddr
suhosin.cookie.cryptlist
suhosin.cookie.plainlist
Filtering Options
suhosin.filter.action
suhosin.cookie.max_array_depth
suhosin.cookie.max_array_index_length
suhosin.cookie.max_name_length
suhosin.cookie.max_totalname_length
suhosin.cookie.max_value_length
suhosin.cookie.max_vars
suhosin.cookie.disallow_nul
suhosin.get.max_array_depth
suhosin.get.max_array_index_length
suhosin.get.max_name_length
suhosin.get.max_totalname_length
suhosin.get.max_value_length
suhosin.get.max_vars
suhosin.get.disallow_nul
suhosin.post.max_array_depth
suhosin.post.max_array_index_length
suhosin.post.max_name_length
suhosin.post.max_totalname_length
suhosin.post.max_value_length
suhosin.post.max_vars
suhosin.post.disallow_nul
suhosin.request.max_array_depth
suhosin.request.max_array_index_length
suhosin.request.max_totalname_length
suhosin.request.max_value_length
suhosin.request.max_vars
suhosin.request.max_varname_length
suhosin.request.disallow_nul
suhosin.upload.max_uploads
suhosin.upload.disallow_elf
suhosin.upload.disallow_binary
suhosin.upload.remove_binary
suhosin.upload.verification_script
suhosin.session.max_id_length
		

suhosin有三个选项控制eval

suhosin.executor.eval.whitelist        白名单
suhosin.executor.eval.blacklist        黑名单
suhosin.executor.disable_eval        禁用eval
很多程序需要eval,所以我们不能禁用,使用黑名单禁止一些危险的函数
编辑php.ini
[Suhosin]
suhosin.executor.eval.blacklist=phpinfo,fputs,fopen,fwrite
根据实际情况自行设定
		

包含漏洞

suhosin.executor.include.max_traversal        包含的最大目录深度,在包含的文件名中有多少个../就禁止,例如值为2时,../../etc/passwd会禁止,值为3则允许,对于大多数程序,这个值设为4或5比较合适
suhosin.executor.include.whitelist        允许包含的URL,用逗号分隔
suhosin.executor.include.blacklist        禁止包含的URL,用逗号分隔
		

上传漏洞

suhosin.upload.max_uploads
suhosin.upload.disallow_elf
suhosin.upload.disallow_binary
suhosin.upload.remove_binary
suhosin.upload.verification_script        上传文件检查脚本
可以自己写一个脚本检查上传文件是否有webshell特征,然后suhosin.upload.verification_script 的值是这个脚本的绝对路径
		

其他更深入的防护措施,还有待研究,参考suhosin选项 http://www.hardened-php.net/suhosin/configuration.html

comments powered by Disqus