[TUT] WJ special ! : How to Harden PHP via php.ini

[Dom]

Hello Guys ,

This is my tutorial on how to harden PHP via the php.ini to stop those horrible php shells like c99.

Ok lets get started ~

Step 1 : Install Suhostin :

cd /opt
wget http://download.suhosin.org/suhosin-0.9.27.tgz

Step 2 : Install php-devel :

yum install php-devel

Step 3 : Compile Suhostin :

cd suhosin-0.9.27
phpize
./configure
make
make install

echo 'extension=suhosin.so' > /etc/php.d/suhosin.ini

Ok so that part is done , Now for the php.ini issues.

Step 4 : Edit Your php.ini

nano /etc/php.ini

Now we are going to disable some functionality.

Find

disable_functions =

Once you find that replace it with this :

disable_functions

php_uname,delete,system,etmyuid,getmypid,passthru,leak,listen,diskfreespace,tmpfile,link,ignore_user_abord,shell_exec,dl,set_time_limit,exec,system,highlight_file,source,show_source,fpaththru,virtual,posix_ctermid,posix_getcwd,symlink,popen,system,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo

Those are all the " hacking " codes I found in 18 different shells.

Step 5 : Now we are preventing information disclosure

Find

display_errors =

and replace it with

display_errors = Off

Step 6 : Disable Global Function

register_globals = Off

Step 7 : Disable Remote Upload ( Stops the Upload of Shells )

allow_url_fopen = Off 
allow_url_include = Off

file_uploads = Off

upload_tmp_dir = /var/php_tmp upload_max_filezize = 2M

Step 8 : Protect Your Sessions :

session.save_path = /var/lib/php

session.cookie_httponly = 1

Then Restart Your Apache :

/sbin/service httpd reload

Done!

 

[soft2050]

Looks like a nice tut

 

[damnyou]

Keep it up dude. We need more security related articles.

 

[evandro]

nice tut!

 

[bmoeller]

i don't see many benefits in this. The latest version of PHP have register_globals = Off off bu default and the rest of the crap to be honest is
crap. Like disabling errors . This shouldn't be an issue on a live server because
ALL DISPLAYED errors should have been fixed in BETA while running
the script on localhost

 

[Dom]

The Benefit in this tutorial is too show people what codes can affects your site and server , and blocking them

 

[bmoeller]

Your PHP is secure against those hackers.

thats what you state. making someone that knows nothing about php think that your tut is going to stop all hackers from exploiting their php code. I would have to say that both of us know thats no where near being true.

 

[Dom]

Well , If you did a little re-search c99 , c100 , r57 etc all those shells use shell_exec . So yes by disabling functions like that you will be safe from shells

 

[SalmanAbbas007]

FFS u even disabled phpinfo :s. lame. :facepalm: Afaik disabling php functions doesn't provide any security -_-

 

[Sponge Bob]

You dont need phpinfo as long as you know what php you are running on.

 

[Dom]

I beg to differ SalmanAbbas007

If someone uploads a shell to your website. clicks on phpinfo finds your kernel version the searchs for vulns , fines a permission vuln and gains admin access .. Then what ? all because you didnt block phpinfo.

 

[SalmanAbbas007]

Oh ok i get it but u should keep ur kernel updated if u are really concerned about security :p

 

[GoDeT]

ho..ho..ho..nice TUT :D

 

[Dom]

Thanks Buddy

 

[Kruno]

Why would you disable those functions while some legit script might use some of them? If you are running that on a default cPanel setup, everyone can bypass the main php.ini because you forgot the most important step.

The truth is, it doesn't make you more secure. People can still execute exploits via CGI(although you disabled system, exec, shell_exec, passthru and loads of other PHP functions.

 

[Dom]

The user should disable CGI via cpanel anyway. If you dont like the tut dont comment. Simple as that.

 

[Kruno]

The user should disable CGI via cpanel anyway. If you dont like the tut dont comment. Simple as that.

CGI can't be disabled from cPanel. Why are you writting "security" tutorials if you can't answer to my questions? I just wanted to know what's the point in disabling PHP functions and causing issues to clients when the attacker can bypass it in multiple ways you didn't mention - since you are a security expert you should know that, right?

 

[Dom]

Krun!x When DID I say I was a fucking security expert ? When ? , CGI Privileges can be limited by modifying the account via cpanel. All im trying to do is help people. Please stay out of this thread

 

[feronso]

Hello Domenic,

Thank you for very fine tutorial, and you are absolutely right. disabling useless php functions which your script not used is a great idea to safe from unwanted shells. no matter who upload that on server.

For those who argue about php disabling function can read This and This

EDIT: i found 3 time session.save_path

1) ; As of PHP 4.0.1, you can define the path as:
;
; session.save_path = "N;/path"

2); The file storage module creates files using mode 600 by default.
; You can change that by using
;
; session.save_path = "N;MODE;/path"


3) ; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
session.save_path = "/var/lib/php/session"


can i need to change the last one ? and remove the "/var/lib/php/session" to "/var/lib/php" as you said ?

thanks advanced


EDIT2:

When i replaced disable_functions with your mentioned above. after restarting apache my board will load without the forum skin. i use IP.Board 3.1.4 .

 

[Kratz]

All this tutorial does is give webmasters a false sense of security. There are far better ways of protecting your system.