[TUT] KWWH special ! : How to Harden PHP via php.ini

[Dom]

Hello Guys ,

This is my tutorial on how to harden PHP via the php.ini to stop those horrible php shells like c99.

Ok lets get started ~




Step 1 : Install Suhostin :

Code: 

cd /opt
wget http://download.suhosin.org/suhosin-0.9.27.tgz

Step 2 : Install php-devel :

Code: 

yum install php-devel

Step 3 : Compile Suhostin :

Code: 

cd suhosin-0.9.27
phpize
./configure
make
make install

Code: 

echo 'extension=suhosin.so' > /etc/php.d/suhosin.ini

Ok so that part is done , Now for the php.ini issues.

Step 4 : Edit Your php.ini

Code: 

nano /etc/php.ini

Now we are going to disable some functionality.

Find

Code: 

disable_functions =

Once you find that replace it with this :

Code: 

disable_functions

Code: 

php_uname,delete,system,etmyuid,getmypid,passthru,leak,listen,diskfreespace,tmpfile,link,ignore_user_abord,shell_exec,dl,set_time_limit,exec,system,highlight_file,source,show_source,fpaththru,virtual,posix_ctermid,posix_getcwd,symlink,popen,system,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo

Those are all the " hacking " codes I found in 18 different shells.

Step 5 : Now we are preventing information disclosure

Find

Code: 

display_errors =

and replace it with

Code: 

display_errors = Off

Step 6 : Disable Global Function

Code: 

register_globals = Off

Step 7 : Disable Remote Upload ( Stops the Upload of Shells )

Code: 

allow_url_fopen = Off 
allow_url_include = Off

Code: 

file_uploads = Off

Code: 

upload_tmp_dir = /var/php_tmp upload_max_filezize = 2M

Step 8 : Protect Your Sessions :

Code: 

session.save_path = /var/lib/php

session.cookie_httponly = 1

Then Restart Your Apache :

Code: 

/sbin/service httpd reload

Done!

Dom Reviewed by Dom on 21st May 2011. [TUT] KWWH special ! : How to Harden PHP via php.ini Hello Guys , This is my tutorial on how to harden PHP via the php.ini to stop those horrible php shells like c99. Ok lets get started ~ http://www.besthostingforums.com/images/cdn/besthostingforums.com/2011/05/th_harden-1.gif Step 1 : Install Suhostin : Rating: 5

[soft2050]

Looks like a nice tut

[damnyou]

Keep it up dude. We need more security related articles.

[evandro]

nice tut!

[bmoeller]

i don't see many benefits in this. The latest version of PHP have register_globals = Off off bu default and the rest of the crap to be honest is
crap. Like disabling errors . This shouldn't be an issue on a live server because
ALL DISPLAYED errors should have been fixed in BETA while running
the script on localhost

[Dom]

The Benefit in this tutorial is too show people what codes can affects your site and server , and blocking them

[bmoeller]

Your PHP is secure against those hackers.

thats what you state. making someone that knows nothing about php think that your tut is going to stop all hackers from exploiting their php code. I would have to say that both of us know thats no where near being true.

[Dom]

Well , If you did a little re-search c99 , c100 , r57 etc all those shells use shell_exec . So yes by disabling functions like that you will be safe from shells

[SalmanAbbas007]

FFS u even disabled phpinfo . lame. Afaik disabling php functions doesn't provide any security

[Sponge Bob]

You dont need phpinfo as long as you know what php you are running on.