Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedIn

SuhosinThe past several weeks my hosting account has been acting up. Most notably I keep getting blocked from my own site and various account access areas.

Here is a brief summary of what happens:

I view a few pages on my site. I might reply to comments, or I might work on a new post. Nothing out of the ordinary, and certainly nothing extensive.

Right in the middle of performing one of these simple tasks I suddenly get an “unable to access site warning” in my web browser. So I wait a few minutes and then refresh the page. Same thing, Oh no…nothing happening here.

So I double-check with an anonymous surf / proxy site and sure enough I can see my site, which usually means my ip address is blocked on the server.

Now I head on over to my hosts support ticket system and tell them what happened. They unblock my ip, and sometimes whitelist it in the firewall. This is great except for the fact that my ip address does change fairly often.

Once my ip address changes the new one is not whitelisted. This process repeats itself over and over again. So much that I am really getting tired of it, and more than a little ticked off. Who has time to deal with this on a regular basis? I know I don’t. Did I mention that this has caused me to yank out so much of my hair that I shouldn’t need a haircut any time soon.

I have been racking my brain over this for a long time now. Up until now I have had absolutely no problems after years of using different web hosting environments.

The other day I happened to check my hosts php settings using a php info file. By the way, you can create a simple php info file with just about any text editor. Notepad will certainly do the trick. All you do is add the following and save it as phpinfo.php:

<?php
phpinfo();
?>

Then, upload the file to your hosting account and visit the page.

For example if you upload it to the main/root/home/public_html directory for your site you would simply visit yoursite.com/phpinfo.php after doing so.

It will provide you with a fairly extensive list about your server and php settings.

Note:
After you finish checking your hosts php settings with the phpinfo.php file it is a good idea to remove/delete it from your hosting account so others won’t go snooping and try to find vulnerabilities.

This is what it will look like:

phpinfo

 

I have used a phpinfo file hundreds if not thousands of times in the past and I am very familiar with the kinds of information and settings that are displayed.

I was just about to close it when near the bottom I noticed Suhosin in the list. It wasn’t there a while back I knew that, but just how long ago and if it coincided with the problems I have been experiencing I wasn’t totally sure.

I am aware of Suhosin and what its purpose is, but I have never had a web hosting account that actually used it.

For those of you that are not familiar with Suhosin it’s basically supposed to provide additional security by hardening PHP.

Here is a brief discription from the Suhosin web site:

http://www.hardened-php.net/suhosin/
What is Suhosin?
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Unlike the PHP Hardening-Patch Suhosin is binary compatible to normal PHP installation, which means it is compatible to 3rd party binary extension like ZendOptimizer.

 

And a little information about configuring Suhosin:

http://www.hardened-php.net/suhosin/configuration.html
Configuration
Suhosin‘s features are all configured through the php.ini configuration file. Here you can find descriptions of all supported options.

For most users the Suhosin will work out of the box without any change to the default configuration needed.

When you only use the Suhosin-Patch only the logging features are supported. When you only use the Suhosin-Extension you cannot use the predefined constants for configuration. This is due to the way php.ini constant support is implemented in PHP.

 

Notice: it says it will work out of the box without any changes for most users. Either Suhosin does not work well out of the box, or hosting companies fail to tweak and adjust it to a more suitable configuration setting.

I read up on the Suhosin configuration settings, which not to mention are a bit lengthy, but at least they do provide a detailed description.

As I read over the Suhosin details simulation mode caught my attention, which according to their site says:

If you fear that Suhosin breaks your application, you can activate Suhosin’s simulation mode with this flag. When Suhosin runs in simulation mode, violations are logged as usual, but nothing is blocked or removed from the request. (Transparent Encryptions are NOT deactivated in simulation mode.)

 

I told myself it was certainly worth a shot, nothing else seemed to help. So this is exactly what I did. I turned the darn thing off by setting Suhosin to simulation mode by adding the following entry in my php.ini file:

[suhosin]
; Misc Options
suhosin.simulation = On

Since my host uses suPHP I also modified my main .htaccess file to make sure the php.ini file was being used in all directories by adding the following:

<IfModule mod_suphp.c>
suPHP_ConfigPath /home/your-account-name/public_html
<Files php.ini>
order allow,deny
deny from all
</Files>
</IfModule>

The path setting is based on cPanel web hosting and assumes php.ini is located in public_html.

I don’t recommend doing this unless you know exactly what you are doing especially the .htaccess part. Htaccess files are extremely particular and just one little character out of whack can error out your entire site. Always download and backup .htaccess files before making changes to them so you can quickly restore the original should you have a problem.

I most likely will turn Suhosin off completely in my php.ini file by commenting out the line:
extension=”suhosin.so”

Like so:
;extension=”suhosin.so”

If your host has Suhosin you can ask them to turn it off if you suspect it might be causing problems. There is no guarantee that they will. Some hosts will and others won’t.

The results:
It is a little early to know for sure, but so far so good. Although this isn’t the ideal or perfect solution, at least I am able to use my darn site and get some work done again. Now maybe my hair will finally start growing back!

Suhosin might work decent, but only if it is properly configured. I certainly believe that the default settings are to restrictive, and they should be adjusted accordingly.

If parts of your web site have stopped working, or you keep getting blocked you might ask your host if they recently installed Suhosin.

About: Jeremy LeSarge - AKA: Ray (212 Posts)

I am the site owner and administrator of DialMe.com. I provide help and tips for Boonex Dolphin on the main part of this website where you will also find an assortment of other resources. Here, on the blog I write about a variety of topics surrounding WordPress, technology, social media/networking, SEO, and webmaster resources.