[TUT] KWWH special ! : How to Harden PHP via php.ini

[Dom]

Hello Guys ,

This is my tutorial on how to harden PHP via the php.ini to stop those horrible php shells like c99.

Ok lets get started ~




Step 1 : Install Suhostin :

Code: 

cd /opt
wget http://download.suhosin.org/suhosin-0.9.27.tgz

Step 2 : Install php-devel :

Code: 

yum install php-devel

Step 3 : Compile Suhostin :

Code: 

cd suhosin-0.9.27
phpize
./configure
make
make install

Code: 

echo 'extension=suhosin.so' > /etc/php.d/suhosin.ini

Ok so that part is done , Now for the php.ini issues.

Step 4 : Edit Your php.ini

Code: 

nano /etc/php.ini

Now we are going to disable some functionality.

Find

Code: 

disable_functions =

Once you find that replace it with this :

Code: 

disable_functions

Code: 

php_uname,delete,system,etmyuid,getmypid,passthru,leak,listen,diskfreespace,tmpfile,link,ignore_user_abord,shell_exec,dl,set_time_limit,exec,system,highlight_file,source,show_source,fpaththru,virtual,posix_ctermid,posix_getcwd,symlink,popen,system,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,phpinfo

Those are all the " hacking " codes I found in 18 different shells.

Step 5 : Now we are preventing information disclosure

Find

Code: 

display_errors =

and replace it with

Code: 

display_errors = Off

Step 6 : Disable Global Function

Code: 

register_globals = Off

Step 7 : Disable Remote Upload ( Stops the Upload of Shells )

Code: 

allow_url_fopen = Off 
allow_url_include = Off

Code: 

file_uploads = Off

Code: 

upload_tmp_dir = /var/php_tmp upload_max_filezize = 2M

Step 8 : Protect Your Sessions :

Code: 

session.save_path = /var/lib/php

session.cookie_httponly = 1

Then Restart Your Apache :

Code: 

/sbin/service httpd reload

Done!

Dom Reviewed by Dom on 21st May 2011. [TUT] KWWH special ! : How to Harden PHP via php.ini Hello Guys , This is my tutorial on how to harden PHP via the php.ini to stop those horrible php shells like c99. Ok lets get started ~ http://www.besthostingforums.com/images/cdn/besthostingforums.com/2011/05/th_harden-1.gif Step 1 : Install Suhostin : Rating: 5