Monday, November 10, 2008

Hardening PHP security with Suhosin

Suhosin (수호신) is a Korean word that means “guardian-angel”, originally developed by Stefan Esser, a German developer who loves Korean language.

Originated from the Hardened-PHP project, Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

There are 2 parts in Suhosin:
  • Patch to PHP that hardens the Zend engine to protect from possible buffer overflows and related vulnerabilities.
  • Standalone Suhosin extension module for PHP to provide many security features that are not present in PHP itself.
Both of them can work together, or the extension module alone can be used.

Some of the features of Suhosin are:
  • Logging of errors to syslog or arbitrary logfiles
  • Create blacklists and whitelists per virtual host
  • Filter on GET and POST requests, file uploads, and cookies
  • Transparent encryption of sessions and cookies
  • Set memory limits
  • ... and many more
If your web applications are developed in PHP, you should seriously consider installing Suhosin to harden its security. It is already included in most major Linux distributions. Search for "php5-suhosin" or "php-suhosin" in your Linux distribution to install it.

For more information about downloading and installing Suhosin, click here.


1 comment: