I've been testing out Suhosin Extension 0.9.29 from http://www.hardened-php.net/suhosin/
There are at least two areas (that I know of) where I need help.
1. Error messages go to /var/log/messages no matter what I set for suhosin.log.syslog.facility even though I have a corresponding /etc/syslog.conf facility going to /var/log/suhosin.log
If you have successfully set up suhosin to log outside of /var/log/messages, do you mind sharing your /etc/syslog.conf and php.ini settings for that change?
2. I am seeing a lot of "ALERT-SIMULATION - script tried to increase memory_limit to 4294967295 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file 'unknown')" errors in /var/log/messages.
How can I find the IP and file involved?
For those that do include the increase memory_limit alert with an IP address and actual file, how can I determine if the activity is incorrect or correct and the suhosin memory limit needs to be increased?
For the shell script, awk/gawk, etc. experts, is there a way to consolidate the following messages into one line?
CODE
Nov 1 05:11:23 web2 suhosin[6331]: ALERT-SIMULATION - script tried to increase memory_limit to 4294967295 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file 'unknown')
Nov 1 05:11:24 web2 suhosin[6332]: ALERT-SIMULATION - script tried to increase memory_limit to 4294967295 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file 'unknown')
Nov 1 05:11:26 web2 suhosin[6333]: ALERT-SIMULATION - script tried to increase memory_limit to 4294967295 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file 'unknown')
Nov 1 05:11:54 web2 suhosin[24414]: ALERT-SIMULATION - script tried to increase memory_limit to 4294967295 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file 'unknown')
Nov 1 05:11:24 web2 suhosin[6332]: ALERT-SIMULATION - script tried to increase memory_limit to 4294967295 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file 'unknown')
Nov 1 05:11:26 web2 suhosin[6333]: ALERT-SIMULATION - script tried to increase memory_limit to 4294967295 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file 'unknown')
Nov 1 05:11:54 web2 suhosin[24414]: ALERT-SIMULATION - script tried to increase memory_limit to 4294967295 bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file 'unknown')
Right now, I've logwatch set up to show me the last 25 lines with "grep suhosin /var/log/messages | tail -25" but that doesn't help if 25 lines are the above, and maybe 5 lines before that was something I should have seen (and I would rather than tail -100).
3. Are there any recommended settings for a shared hosting environment?
So far, I've reviewed the following articles:
http://www.phpfreaks.com/tutorial/ha...p-with-suhosin
http://www.magentocommerce.com/wiki/..._configuration
http://www.madirish.net/?article=234
--- but some of them seem to counter each other.
i.e. The Magento one has "suhosin.mail.protect = 0" while one of the other ones states to use suhosin.mail.protect = 2.
I did find that some Joomla requires eval to be enabled; and other valid PHP applications do require the suhosin.executor.disable_emodifier to be enabled as well.
Has anyone did any form of study as to what valid applications (i.e. Joomla, WordPress, etc.) require what settings in Suhosin to work?
Thank you.