BLOG

January 4 2023

What is Suhosin PHP?

PHP is an extremely popular programming language, but poor coding can make your server insecure. Suhosin is the solution.

Suhosin Hosting PHP

The number of Internet servers running the PHP language is staggering: second Netcraft , as of January 2012, approximately 244.000.000 websites were running PHP and according to a May 2015 survey by W3Techs “PHP is used by 81,9% of all websites whose server-side programming language we know. Conclusion: PHP rules.

The appeal of PHP is that it's easy to learn, easy to develop, and flexible (although not everyone thinks PHP is a good idea ). On the other hand, as with all programming languages, PHP has security issues; therefore, bad coding practices can make a server vulnerable to hackers.

Introduction: Why Security is Crucial

In today's increasingly interconnected world, cybersecurity is more of a priority than ever. If you run a web server, you know that security isn't just a matter of having well-written code. In fact, even if your code is bulletproof, the risk of vulnerability increases exponentially when you allow third-party code to run. That's why tools like Suhosin for PHP have become indispensable. In this in-depth article, we'll explore what Suhosin is, how it works, its benefits, and why you should seriously consider implementing it in your server environment.

What is Suhosin: A Detailed Overview

Suhosin is an open-source extension and patch for PHP, developed by the German company Sektion Eins. The term “Suhosin” is of Korean origin and means “guardian angel”, a name that perfectly embodies its function as guardian of your server. Suhosin is divided into two main components: a patch that can be applied directly to the PHP engine and a PHP extension that can be loaded dynamically. These two components can work independently or synergistically, depending on your specific needs.

Suhosin's Safety Objectives

Suhosin's basic goal is to serve as a kind of safety net for web servers, protecting them from various PHP coding practices that might be insecure or even dangerous. It acts as a security filter, reducing the “attack surface” that PHP introduces into a web server, and therefore minimizing the associated risks.

Safety Features: Thorough Review

One of Suhosin's most distinctive features is its ability to create PHP function whitelists and set resource limits. These features are essential for protecting your server from a variety of attacks, including SQL Injection, Cross-Site Scripting (XSS), and DoS attacks. In this section, we'll take a closer look at how these features work and provide examples of commonly considered dangerous PHP functions.

PHP Functions Whitelist

What They Are and Why They Are Necessary

Function whitelists are lists of PHP functions that are considered safe to run. This is especially useful when using third-party scripts or allowing users to run custom PHP code. By limiting usage to a predefined set of features, you significantly reduce the risk of attacks.

Examples of Hazardous Functions

Some of the PHP functions that are often exploited in attacks include:

  1. eval(): This function executes PHP code passed as an argument, making it extremely dangerous if used carelessly.
  2. exec(), system(), passthru(): These functions allow the execution of system commands, offering a potential entry point for attackers.
  3. mysql_query(): When used without precautions such as input sanitization, this feature is vulnerable to SQL Injection attacks.
  4. include(), require(): If used incorrectly, these functions can be exploited to include malicious files.
  5. unserialize(): This feature is known to be vulnerable to attacks that can lead to the execution of arbitrary code.

Using Suhosin, you can create a whitelist that excludes these and other dangerous functions, thus reducing your attack surface.

Resource Limits

What They Are and Why They Are Necessary

Resource limits are restrictions set on the system resources that a PHP script can use. These limits can include the maximum time a script can run, the maximum memory allocated, and the maximum number of files that can be opened. By setting these limits, you can mitigate the effects of DoS attacks that try to exhaust server resources.

How do they work

Suhosin allows you to set various resource limits through its configuration file. For example, you can set the maximum execution time for a PHP script to 30 seconds and the maximum memory allocated to 64MB. This ensures that even if a malicious script tries to deplete resources, its impact will be minimized.

Suhosin's ability to create feature whitelists and set resource limits offers a powerful tool for improving the security of your PHP server. Using these features, you can effectively protect your system from a wide range of attacks and vulnerabilities.

 

Encryption, Sessions and Data Protection

Suhosin goes beyond just limiting functions; it also offers strong encryption for cookies and sessions. This is essential for protecting sensitive data such as passwords and authentication tokens. It also has the ability to prevent password logging, ensuring that this critical information is never recorded in server logs, even accidentally.

Content Filtering and Other Security Measures

Suhosin also includes a binary content filter, which is essential for preventing the uploading of malicious files or the execution of malicious scripts. This additional layer of security is especially useful for websites that allow users to upload files.

The Benefits of Suhosin: Why You Should Use It

Suhosin has become an indispensable tool for anyone running a PHP server, thanks to its wide range of security features. But what are the specific benefits that make Suhosin such an excellent choice? In this section, we'll dig deep into the key benefits of using Suhosin, from hardened security and ease of deployment to advanced data protection and monitoring tools.

Strengthened Security: A Bulwark Against Vulnerabilities

An Additional Layer of Defense

Implementing Suhosin in your server environment acts as an extra layer of defense, making it extremely difficult for attackers to exploit any existing or potential vulnerabilities. This is especially useful in scenarios where third-party code is in use, or where developers don't have full control over every aspect of the system.

Protection from a Wide Range of Attacks

Suhosin is designed to protect against a wide range of attacks, including SQL Injection, Cross-Site Scripting (XSS), and DoS attacks. Thanks to its ability to create feature whitelists and set resource limits, it offers comprehensive protection that goes beyond standard security measures.

Ease of Deployment: Security Without Complications

Simple Installation and Configuration

Despite its sophisticated feature set, Suhosin is remarkably easy to install and configure. This makes it accessible even for users who may not have deep knowledge of cybersecurity, allowing more organizations to benefit from its powerful protection capabilities.

Flexibility and Personalization

Another plus is the flexibility that Suhosin offers. You can choose to use the patch, the extension, or both, depending on your specific needs. Additionally, Suhosin is highly configurable, allowing you to tailor its functionality to the specific needs of your server environment.

Advanced Data Protection: Beyond Encryption

Robust encryption

Suhosin offers advanced encryption features to protect sensitive data such as passwords, authentication tokens, and other personal information. This is crucial in an age where data breaches are commonplace.

Data Loss Prevention

In addition to encryption, Suhosin also offers other measures to prevent data loss, such as the ability to prevent password logging and protection against data interception during transmission.

Monitoring Tools: Keep a Watchful Eye

Logging and Analysis

Suhosin comes with logging and monitoring tools that allow you to track all suspicious activity on your server. This is invaluable for detecting and analyzing attack attempts, providing an additional layer of security.

Alarms and Notifications

In the event of suspicious activity or attempted attacks, Suhosin can be configured to send alerts or notifications, allowing you to take quick action to mitigate any potential risk.

Conclusion and Final Considerations

Suhosin represents one of the most complete and robust solutions for PHP server security. With its wide range of features, from implementing feature whitelists to advanced encryption, it is a tool that every system administrator should seriously consider. If you are looking for hosting that offers Suhosin as an additional service, know that our company specializes in high-performance hosting solutions and with a particular focus on security, including the possibility of implementing Suhosin for an even more secure working environment.

About the author

Born in 1981 and internet user since 1994, electronic and electrotechnical expert in the telecommunications sector, I attended the degree course in Information Technologies at the University of Camerino. I have been a GNU Linux systems engineer since 2005. Founder and majority shareholder in Managed Server Srl, I am focused on Linux systems engineering and the web performance of the main CMS including WordPress / WooCommerce / Prestashop / Magento.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds owns the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Facebook, Inc. owns the rights to Facebook®; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV This site is not affiliated, sponsored, or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a registered trademark at European level by MANAGED SERVER SRL Via Enzo Ferrari, 9 62012 Civitanova Marche (MC) Italy.

Back to top