Suhosin: How to harden your PHP web application

PHP is a hugely popular programming language but poor coding can make your server as secure as a wet paper bag ... Suhosin is the solution

programming 583923 1280
simplu27 / Pixabay

The number of Internet servers that run the PHP language is incredible: According to Netcraft, as of January, 2012, something around 244,000,000 web sites were running PHP and according to a May, 2015, survey by W3Techs “PHP is used by 81.9% of all websites whose server-side programming language we know.” Bottom line: PHP rules.

The lure of PHP is that it's easy to learn, easy to develop with, and flexible (though not every one thinks PHP is a good idea). On the other hand, as with all programming languages, PHP has security issues so poor coding practices can make a server vulnerable to hackers.

While your own coding might be A+ (cough-unlikely-cough), if you allow code from other developers (i.e. code you didn’t write and didn’t verify for coding standards and integrity) to run on your server, you’re vulnerable at least to some degree (or more likely, hugely vulnerable). Without in-depth analysis and evaluation you simply don’t know whether you’re safe or not.

Enter Suhosin.

Designed as an “advanced protection system for PHP installations”, Suhosin is a two-part fix; a patch applied to the PHP core to protect against problems like buffer overflows and format string vulnerabilities, and an extension to PHP that addresses against a whole litany of runtime vulnerabilities and session issues and adds filtering and logging features.

So, does your server have Suhosin? According to Wikipedia:

In some Linux distributions, notably Debian in versions up to 6.x ("squeeze"/"oldstable") and Gentoo Linux, it was shipped by default with both patch and extension. Suhosin was removed from Debian as of version 7 (wheezy) but reappeared in the current development branch. / It is activated by default in Mac OS X Server. / As of PHP 5.4, openSUSE dropped the Suhosin patch, but maintains a port of the Suhosin extension. / FreeBSD 10.1 maintains the Suhosin extension in its ports collection.

Installing Suhosin is straightforward:

Unlike the Hardening-Patch for PHP, nearly all of Suhosin's features are within the extension. Therefore you might want to only install the extension and use a plain unpatched PHP. Depending on the system we might already offer binary packages. You can check our Suhosin Download page. In that case you only need to activate the extension inside your php.ini and maybe add Configuration directives if you are not satisfied by the default values.

If that isn’t what your environment needs then you can install Suhosin manually but you’ll need command line access at root level.

So, do you need Suhosin? The Suhosin site sums it up nicely:

… it is your free choice to use Suhosin. If you want additional protection for your servers and your business, we can only recommend strongly that you use the extension and the patch. Always keep in mind that you are not only protecting yourself and your users, but also other people on the internet, that might get attacked by your server after it has been turned into a (Spam-/DDOS-) attack drone.


Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022