Hello Guys ,
This is my tutorial on how to harden PHP via the php.ini to stop those horrible php shells like c99.
Ok lets get started ~
Step 1 : Install Suhostin :
Step 2 : Install php-devel :
Step 3 : Compile Suhostin :
Ok so that part is done , Now for the php.ini issues.
Step 4 : Edit Your php.ini
Now we are going to disable some functionality.
Find
Once you find that replace it with this :
Those are all the " hacking " codes I found in 18 different shells.
Step 5 : Now we are preventing information disclosure
Find
and replace it with
Step 6 : Disable Global Function
Step 7 : Disable Remote Upload ( Stops the Upload of Shells )
Step 8 : Protect Your Sessions :
Then Restart Your Apache :
Done!
This is my tutorial on how to harden PHP via the php.ini to stop those horrible php shells like c99.
Ok lets get started ~
Step 1 : Install Suhostin :
Code:
cd /opt
wget http://download.suhosin.org/suhosin-0.9.27.tgz
Code:
yum install php-devel
Code:
cd suhosin-0.9.27
phpize
./configure
make
make install
Code:
echo 'extension=suhosin.so' > /etc/php.d/suhosin.ini
Step 4 : Edit Your php.ini
Code:
nano /etc/php.ini
Find
Code:
disable_functions =
Code:
disable_functions
Code:
php_uname,delete,system,etmyuid,getmypid,passthru,leak,listen,diskfreespace,tmpfile,link,ignore_user_abord,shell_exec,dl,set_time_limit,exec,system,highlight_file,source,show_source,fpaththru,virtual,posix_ctermid,posix_getcwd,symlink,popen,system,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo
Step 5 : Now we are preventing information disclosure
Find
Code:
display_errors =
Code:
display_errors = Off
Code:
register_globals = Off
Code:
allow_url_fopen = Off
allow_url_include = Off
Code:
file_uploads = Off
Code:
upload_tmp_dir = /var/php_tmp upload_max_filezize = 2M
Code:
session.save_path = /var/lib/php
session.cookie_httponly = 1
Then Restart Your Apache :
Code:
/sbin/service httpd reload
Last edited: