How do I install Hardened PHP

#1 01-15-2006, 11:00 PM

Hi,

I want to install this Hardened PHP patch but don't know how.
http://www.hardened-php.net/downloads.13.html

Can someone please tell me what I need to do? I'm on CPanel and normally use YUM for updates.

TIA

sdjl · #2 01-15-2006, 11:54 PM

Well, if their download names are hinting at what you should do, it would be to use the patch command via SSH to patch certain PHP files.
That's just a guess..

David

#3 01-16-2006, 12:50 AM

gpg --import http://www.hardened-php.net/hardened...nature-key.asc
wget http://www.hardening-patch-4.4.1-0.4.8.patch.gz
gunzip hardening-patch-4.4.1-0.4.8.patch.gz
cd php-4.4.1
patch -p 1 < ../hardened-php-4.4.1-0.4.8.patch

Is this how it would be done?

But i read this, so maybe I can't install it. What does everyone think?

Hardened-PHP is not binary compatible to normal PHP anymore. If you want to use closed source extension with it, you must ask your vendor, to provide some linked against H-PHP. Open Source extensions will work like before, but need a recompile.

#4 01-18-2006, 01:30 AM

I dont believe you can use Hardened-PHP with cpanel. Since cpanel updates its software i believe. I have never admin a cpanel server before but with Directadmin you would just patch the files and compile. Might wanna ring up support.

#5 01-22-2006, 02:02 AM

Thanks Hvu,
i've decided against adding it. At least, not right now, the mod_sec rules seem to be doing a pretty good job.

elix · #6 01-26-2006, 04:10 PM

Quote:

Originally Posted by Hvu

I dont believe you can use Hardened-PHP with cpanel. Since cpanel updates its software i believe. I have never admin a cpanel server before but with Directadmin you would just patch the files and compile. Might wanna ring up support.

cPanel doesn't auto update PHP.

You can easily run your own PHP compilations.

asterisk · #7 08-09-2006, 05:44 AM

I was thinking of using Hardened-PHP too. But it seems it's not compatible as skyblu has pointed out, with closed source extensions such as Zend Optimizer. Bummer. Although Eaccelerator works with it.

I'm wondering if it would work with PHPSuExec though.

elix · #8 08-09-2006, 08:10 PM

The ideal way to run this would be to have your own compile of PHP (which is easily done via cPanel, by the way, I do it in my boxes with no problems, I never use easyapache) and then just patch the source before you compile it. You will then have the hardened PHP...you can do this on a Plesk VPS as well.

asterisk · #9 08-09-2006, 09:27 PM

Thanks for the pointer, elix. I will certainly try that out soon, compiling from source and pre-patching it.

Regarding mod_sec, skyblu, how useful did you find it?

Until recently, mod_sec worked well for me too but that was because websites served were plain vanilla. When more complex php scripts were served allowing user-input, it seems like the thing's on hair-trigger. So I just disabled it for the respective directories.

If only they were like cPanel, having five different trees from stable to edge indicating the false-positive likelihood of the rules.

elix · #10 08-10-2006, 03:00 PM

Uhh...for mod_security you can choice what ruleset you use............I suggest you read up on what modsecurity is on www.modsecurity.org... its the framework it doesn't actually have rules by default, the rules are all up to you