Hi,

I want to install this Hardened PHP patch but don't know how.
http://www.hardened-php.net/downloads.13.html

Can someone please tell me what I need to do? I'm on CPanel and normally use YUM for updates.

TIA

Well, if their download names are hinting at what you should do, it would be to use the patch command via SSH to patch certain PHP files.
That's just a guess..

David

gpg --import http://www.hardened-php.net/hardened-php-signature-key.asc
wget http://www.hardening-patch-4.4.1-0.4.8.patch.gz
gunzip hardening-patch-4.4.1-0.4.8.patch.gz
cd php-4.4.1
patch -p 1 < ../hardened-php-4.4.1-0.4.8.patch

Is this how it would be done?

But i read this, so maybe I can't install it. What does everyone think?

Hardened-PHP is not binary compatible to normal PHP anymore. If you want to use closed source extension with it, you must ask your vendor, to provide some linked against H-PHP. Open Source extensions will work like before, but need a recompile.

I dont believe you can use Hardened-PHP with cpanel. Since cpanel updates its software i believe. I have never admin a cpanel server before but with Directadmin you would just patch the files and compile. Might wanna ring up support.

Thanks Hvu,
i've decided against adding it. At least, not right now, the mod_sec rules seem to be doing a pretty good job.

I dont believe you can use Hardened-PHP with cpanel. Since cpanel updates its software i believe. I have never admin a cpanel server before but with Directadmin you would just patch the files and compile. Might wanna ring up support.
cPanel doesn't auto update PHP.

You can easily run your own PHP compilations.

I was thinking of using Hardened-PHP too. But it seems it's not compatible as skyblu has pointed out, with closed source extensions such as Zend Optimizer. Bummer. Although Eaccelerator works with it.

I'm wondering if it would work with PHPSuExec though.

The ideal way to run this would be to have your own compile of PHP (which is easily done via cPanel, by the way, I do it in my boxes with no problems, I never use easyapache) and then just patch the source before you compile it. You will then have the hardened PHP...you can do this on a Plesk VPS as well.

Thanks for the pointer, elix. I will certainly try that out soon, compiling from source and pre-patching it.

Regarding mod_sec, skyblu, how useful did you find it?

Until recently, mod_sec worked well for me too but that was because websites served were plain vanilla. When more complex php scripts were served allowing user-input, it seems like the thing's on hair-trigger. So I just disabled it for the respective directories.

If only they were like cPanel, having five different trees from stable to edge indicating the false-positive likelihood of the rules. :)

Uhh...for mod_security you can choice what ruleset you use............I suggest you read up on what modsecurity is on www.modsecurity.org... its the framework it doesn't actually have rules by default, the rules are all up to you

Last edited by Robert : 08-11-2006 at 06:13 AM.I wonder why? :confused:
--------------------------------------------------------------------------



mod_sec comes with a default rule set if installed from WHM.

A good source of a tested rule set to install or replace the WHM set is:

http://www.hostmerit.com/modsec.user.conf

Right click the link and click Save as or Save Link Target as.
Compliments of Kris at HostMerit

The link for this on the cPanel Forums is:
http://forums.cpanel.net/showthread.php?t=49266
http://forums.cpanel.net/search.php?searchid=1417721

But there are many sources of rule sets, including http://www.gotroot.com/ and an Internet search for modsecurity will reveal some very useful reading.

Thanks so much for the pointers, Izzy. :) I'll check HostMerit's out.

Sorry must have skipped ahead of myself, I forgot to mention that I'm currently using GotRoot's rules, and am pretty conservative in my usage, in that I only use the exclusion and application protection rules.

And I had some false-positives when implementing it on certain pages of phpBB2, WordPress and ModernBill. Did you encounter any false-positives too, Izzy?

Also am still awaiting that 1.9.2 release of mod_security with that PCRE-ability which will speed it up. :)

...And I had some false-positives when implementing it on certain pages of phpBB2, WordPress and ModernBill. Did you encounter any false-positives too, Izzy?...Never used any of those and never had problems with mod_sec, touch wood. ;)

I have a wampp install on a Win PC at home that I use as a test bed and I installed mod_sec win32 version.

No problems either with it. Does it's job on both. I do keep my eye on it by frequent log file inspections and have rarely had to tweak the HostMerit rules. Much better than going bare back so to speak. :)

There is a much newer version available than 1.9.2. Go here if you want version 2 of mod_sec to have a go at:
http://www.modsecurity.org/download/

Also take a look at the other products like ModSecurity Pro for Apache and the ModSecurity Console:
http://www.thinkingstone.com/products/index.html

Join the Thinking Stone Network, its free. It's fairly new so has room for improvement:
https://www.thinkingstone.com/tsn/account/login.php

Wow. You've been a wonderful help. :) I didn't realise mod_security has 2.0 out already, shows how sloppy I've been by relying on cPanel addon modules to let me know if I'm using the latest release. :(

The ThinkingStone products' UI look absolutely spiffy. I'll definitely be looking further into them.

And yes, bareback would just warrant a bit too much attention. :p