Activity Stream
48,167 MEMBERS
6962 ONLINE
besthostingforums On YouTube Subscribe to our Newsletter besthostingforums On Twitter besthostingforums On Facebook besthostingforums On facebook groups

Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1.     
    #1
    Member

    Default [TUT] KWWH special ! : How to Harden PHP via php.ini

    Hello Guys ,

    This is my tutorial on how to harden PHP via the php.ini to stop those horrible php shells like c99.

    Ok lets get started ~





    Step 1 : Install Suhostin :

    Code: 
    cd /opt
    wget http://download.suhosin.org/suhosin-0.9.27.tgz
    Step 2 : Install php-devel :
    Code: 
    yum install php-devel
    Step 3 : Compile Suhostin :
    Code: 
    cd suhosin-0.9.27
    phpize
    ./configure
    make
    make install
    Code: 
    echo 'extension=suhosin.so' > /etc/php.d/suhosin.ini
    Ok so that part is done , Now for the php.ini issues.

    Step 4 : Edit Your php.ini

    Code: 
    nano /etc/php.ini
    Now we are going to disable some functionality.

    Find
    Code: 
    disable_functions =
    Once you find that replace it with this :
    Code: 
    disable_functions
    Code: 
    php_uname,delete,system,etmyuid,getmypid,passthru,leak,listen,diskfreespace,tmpfile,link,ignore_user_abord,shell_exec,dl,set_time_limit,exec,system,highlight_file,source,show_source,fpaththru,virtual,posix_ctermid,posix_getcwd,symlink,popen,system,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo
    Those are all the " hacking " codes I found in 18 different shells.

    Step 5 : Now we are preventing information disclosure

    Find
    Code: 
    display_errors =
    and replace it with
    Code: 
    display_errors = Off
    Step 6 : Disable Global Function
    Code: 
    register_globals = Off
    Step 7 : Disable Remote Upload ( Stops the Upload of Shells )

    Code: 
    allow_url_fopen = Off 
    allow_url_include = Off
    Code: 
    file_uploads = Off
    Code: 
    upload_tmp_dir = /var/php_tmp upload_max_filezize = 2M
    Step 8 : Protect Your Sessions :

    Code: 
    session.save_path = /var/lib/php
    
    session.cookie_httponly = 1


    Then Restart Your Apache :

    Code: 
    /sbin/service httpd reload
    Done!
    Dom Reviewed by Dom on . [TUT] KWWH special ! : How to Harden PHP via php.ini Hello Guys , This is my tutorial on how to harden PHP via the php.ini to stop those horrible php shells like c99. Ok lets get started ~ http://www.besthostingforums.com/images/cdn/besthostingforums.com/2011/05/th_harden-1.gif Step 1 : Install Suhostin : Rating: 5

  2.   Sponsored Links

  3.     
    #2
    Respected Member
    Website's:
    DL4Everything.com Soft2050.in
    Looks like a nice tut

  4.     
    #3
    Member
    Keep it up dude. We need more security related articles.

  5.     
    #4
    Member
    Website's:
    vrapidshare.com vconverter.cocc
    nice tut!

  6.     
    #5
    Member
    Website's:
    felonygames.com
    i don't see many benefits in this. The latest version of PHP have register_globals = Off off bu default and the rest of the crap to be honest is
    crap. Like disabling errors . This shouldn't be an issue on a live server because
    ALL DISPLAYED errors should have been fixed in BETA while running
    the script on localhost

  7.     
    #6
    Member
    The Benefit in this tutorial is too show people what codes can affects your site and server , and blocking them

  8.     
    #7
    Member
    Website's:
    felonygames.com
    Your PHP is secure against those hackers.
    thats what you state. making someone that knows nothing about php think that your tut is going to stop all hackers from exploiting their php code. I would have to say that both of us know thats no where near being true.

  9.     
    #8
    Member
    Well , If you did a little re-search c99 , c100 , r57 etc all those shells use shell_exec . So yes by disabling functions like that you will be safe from shells

  10.     
    #9
    Member
    FFS u even disabled phpinfo . lame. Afaik disabling php functions doesn't provide any security

  11.     
    #10
    Member
    You dont need phpinfo as long as you know what php you are running on.


Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [VIDEO TUT]How to install Mod_Security and Harden PHP
    By Dom in forum Technical and Security Tutorials
    Replies: 14
    Last Post: 9th Jun 2011, 11:00 AM
  2. something special
    By extremetrauma in forum Webmaster Discussion
    Replies: 1
    Last Post: 3rd Mar 2011, 10:54 AM
  3. Replies: 4
    Last Post: 18th Dec 2010, 09:03 AM
  4. Very Special Thanks to ProtoWorker
    By SaBteCh in forum General Discussion
    Replies: 11
    Last Post: 5th May 2010, 02:49 PM

Tags for this Thread

BE SOCIAL