Disabling PHP system(); and exec(); functions to
raise up Apache security on Debian GNU / Linux
At security critical hosts running Apache + PHP based sites it is
recommended functions like:
system();
exec(); shell_exec(); .....
to be disabled. The reason is to mainly harden against
script
kiddies who might exploit your site/s and upload some shitty SK
tool like
PHP WebShell, PHP Shell and the probably thousands
of "hacker" variations that exist nowdays.
In latest Debian stable Squeeze,
suhosin -
advanced
protection module for php5 is being installed and enabled in
Apache (by default).
Simply disabling a number of functions using
suhosin, could
prevent multiple of future headaches and hours of pondering on who
0wn3d your server ....
Disabling the basic PHP system(); and other similar functions
which allows shell spawn is not always possible, since some
websites or
CMS platforms depends on them for proper runnig,
anyways whether it is possible disabling 'em is a must.
There are two ways to disable system(); functions; One is through
using
/etc/php5/apache2/conf.d/suhosin.ini and 2nd by adding
a list of functions that has to be disabled directly in Website
Virtualhost file or in
apache2.conf
(/etc/apache2/apache2.conf;
For people hosting multiple virtualhost websites on the same server
using the custom domain Virtualhost method is probably better,
since on a global scale the functions could be enabled if some of
the websites hosted on the server requires
exec(); to work
OK. In any case using
/etc/php5/apache2/conf.d/suhosin.ini
to
disable system(); functions in PHP is less messy
...
1. Disabling PHP system(); fuctions through
/etc/apache2/apache2.conf and custom site Vhosts
Place somewhere (I prefer near the end of config);;;
<IfModule mod_php5.c> php_admin_flag safe_mode on
php_admin_value disable_functions "system, exec, shell_exec,
passthru , ini_alter, dl, pfsockopen, openlog, syslog, readlink,
symlink, link, leak, fsockopen, popen, escapeshellcmd,
apache_child_terminate apache_get_modules, apache_get_version,
apache_getenv, apache_note,apache_setenv,virtual"
Disabling it for custom virtualhost is done by simply adding above
Apache directvies (before the closing tag
</Virtualhost> in
/etc/apache2/sites-enabled/custom-vhost.com
2. Disabling PHP system();, exec(); shell spawn with
suhosin.ini
In /etc/php5/apache2/conf.d/suhosin.ini add;;
suhosin.executor.func.blacklist =system, exec, shell_exec,
passthru, ini_alter, dl,
pfsockopen, openlog, syslog, readlink, symlink, link, leak,
fsockopen, popen,
escapeshellcmd, apache_child_terminate apache_get_modules,
apache_get_version,
apache_getenv, apache_note,apache_setenv,virtual
To do it directly via shell issue;;;
server: conf.d/# cd /etc/php5/apache2/conf.d/
server: conf.d# echo 'suhosin.executor.func.blacklist =system,
exec, shell_exec, passthru, ini_alter, dl,' >>
suhosin.ini
server: conf.d# echo 'pfsockopen, openlog, syslog, readlink,
symlink, link, leak, fsockopen, popen,' >> suhosin.ini
server: conf.d# echo escapeshellcmd, apache_child_terminate
apache_get_modules, apache_get_version,' >> suhosin.ini
server: conf.d# echo 'apache_getenv,
apache_note,apache_setenv,virtual' >>
suhosin.ini
Then to re-load the memory loaded Apache libphp library an Apache
restart is necessary;
server: conf.d# /etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting .
server: conf.d#
Tadam, this should be quite a good security against annoying
automated script attacks. Cheers ;)