Clicky

Cómo escanear la subida de archivos con php Suhosin en busca de malware

Suhosin php

Gracias a la extensión Suhosin podemos añadir una protección avanzada para php

Llevo unos días dando vueltas a la aplicación de seguridad de php Suhosin porque no me dejaba subir archivos de imagen ni en Joomla! ni en Pligg. Resulta que era una línea del archivo /etc/php.d/suhosin.ini que estaba mal configurada (todo por no comprobar antes que la ruta existiese), esta:

suhosin.upload.verification_script =/opt/check.sh

En este artículo vamos a ver cómo configurar Suhosin para que nos escanee la carga de archivos con el antivirus clam (o cualquier otro que uséis) en busca de malware. Estoy trabajando con la siguiente versión de php:

PHP 5.3.3 (cli) (built: Jul 12 2013 20:35:47)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH

Gracias a la extensión Suhosin podemos añadir una protección avanzada para php.

Instalación de la extensión suhosin en Centos:

# yum install php-suhosin

Activar Suhosin, definir la ubicación del script y habilitar el registro de logs. Editar /etc/php.d/suhosin.ini

extension=suhosin.so
suhosin.log.syslog = 511
suhosin.log.syslog.facility = 9
suhosin.log.syslog.priority = 1
suhosin.log.file.name= /var/log/suhosin.log
suhosin.upload.verification_script = "/usr/bin/upload.sh"

Reiniciar servidor web:

# service httpd reload

Crear los permisos de archivos y el sistema:

# touch /usr/bin/upload.sh
# chmod +x /usr/bin/upload.sh

Edita y pega este script upload.sh:

#!/bin/bash
if [ -n "`clamscan --infected --no-summary $1`" ]; then
echo 0;
else
echo 1;
fi

Cuando se encuentra malware (0), la carga se interrumpe y se registra en /var/log/suhosin.log :

Dec 12 00:27:08 dw suhosin[16263]: ALERT "“ fileupload verification script disallows file "“ file dropped (attacker "™101.22.233.184"², file "˜/var/www/domain.com/web/wp-admin/async-upload.php"™)

¿Puedo utilizar phpMyAdmin en un servidor en el que está habilitado Suhosin?

Desde las preguntas frecuentes de phpMyAdmin dicen: Sí, pero se conocen que los valores de configuración predeterminados de Suhosin causan problemas con algunas operaciones, por ejemplo, la edición de una tabla con muchas columnas y no haber una clave primaria o una clave primaria textual.

La configuración de Suhosin podría provocar un mal funcionamiento en algunos casos y no se puede evitar totalmente ya que phpMyAdmin es una especie de aplicación que necesita para transferir grandes cantidades de columnas en una sola petición HTTP, lo que es algo que Suhosin trata de evitar. En general, todas las directivas de suhosin.request.*, suhosin.post.* y suhosin.get.* pueden tener un efecto negativo en la utilidad phpMyAdmin. Siempre se puede encontrar en los registros de errores que límites causaron la caída de variables, para que pueda diagnosticar el problema y ajustar la configuración de las variables.

Los valores por defecto para la mayoría de opciones de configuración de Suhosin funcionarán en la mayoría de los casos, sin embargo, es posible que se desee ajustar como mínimo los siguientes parámetros:

También puede desactivar la advertencia " El servidor está utilizando Suhosin. Refiérase a la documentación por posibles inconvenientes." mediante $cfg['SuhosinDisableWarning']

Advertencia de phpMyAdmin sobre la configuración de Suhosin

Esta es mi configuración completa de Suhosin:

extension = suhosin.so

; -----------------------------------------------------------------------------
; This file was taken from Mandriva Linux with their permission
; -----------------------------------------------------------------------------

[suhosin]

; -----------------------------------------------------------------------------
; Logging Options

; Defines what classes of security alerts are logged to the syslog daemon.
; Logging of errors of the class S_MEMORY are always logged to syslog, no
; matter what this configuration says, because a corrupted heap could mean that
; the other logging options will malfunction during the logging process.
suhosin.log.syslog = 511

; Defines the syslog facility that is used when ALERTs are logged to syslog.
suhosin.log.syslog.facility = 9

; Defines the syslog priority that is used when ALERTs are logged to syslog.
suhosin.log.syslog.priority = 1

suhosin.log.file.name= /var/log/suhosin.log

; Defines what classes of security alerts are logged through the SAPI error log.
;suhosin.log.sapi = 

; Defines what classes of security alerts are logged through the external
; logging.
;suhosin.log.script = 

; Defines what classes of security alerts are logged through the defined PHP
; script.
;suhosin.log.phpscript = 0

; Defines the full path to a external logging script. The script is called with
; 2 parameters. The first one is the alert class in string notation and the
; second parameter is the log message. This can be used for example to mail
; failing MySQL queries to your email address, because on a production system
; these things should never happen.
;suhosin.log.script.name = 

; Defines the full path to a PHP logging script. The script is called with 2
; variables registered in the current scope: SUHOSIN_ERRORCLASS and
; SUHOSIN_ERROR. The first one is the alert class and the second variable is
; the log message. This can be used for example to mail attempted remote URL
; include attacks to your email address.
;suhosin.log.phpscript.name = 

; Undocumented
;suhosin.log.phpscript.is_safe = Off

; When the Hardening-Patch logs an error the log message also contains the IP
; of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI
; environment variable. With this switch it is possible to change this behavior
; to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary
; when your PHP server runs behind a reverse proxy.
;suhosin.log.use-x-forwarded-for = Off

; -----------------------------------------------------------------------------
; Executor Options

; Defines the maximum stack depth allowed by the executor before it stops the
; script. Without this function an endless recursion in a PHP script could
; crash the PHP executor or trigger the configured memory_limit. A value of
; "0" disables this feature.
;suhosin.executor.max_depth = 0

; Defines how many "../" an include filename needs to contain to be considered
; an attack and stopped. A value of "2" will block "../../etc/passwd", while a
; value of "3" will allow it. Most PHP applications should work flawlessly with
; values "4" or "5". A value of "0" disables this feature.
suhosin.executor.include.max_traversal = 4

; Comma separated whitelist of URL schemes that are allowed to be included from
; include or require statements. Additionally to URL schemes it is possible to
; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is
; specified, then the blacklist is evaluated.
suhosin.executor.include.whitelist = tmpl://, file://, upload://

; Comma separated blacklist of URL schemes that are not allowed to be included
; from include or require statements. Additionally to URL schemes it is
; possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no
; blacklist and no whitelist is specified all URL schemes are forbidden.
;suhosin.executor.include.blacklist = 

; Defines if PHP is allows to run code from files that are writable by the
; current process. If a file is created or modified by a PHP process, there
; is a potential danger of code injection. Only turn this on if you are sure
; that your application does not require writable PHP files.
;suhosin.executor.include.allow_writable_files = On

; Comma separated whitelist of functions that are allowed to be called. If the
; whitelist is empty the blacklist is evaluated, otherwise calling a function
; not in the whitelist will terminate the script and get logged.
suhosin.executor.func.whitelist = 

; Comma separated blacklist of functions that are not allowed to be called. If
; no whitelist is given, calling a function within the blacklist will terminate
; the script and get logged. 
suhosin.executor.func.blacklist = 

; Comma separated whitelist of functions that are allowed to be called from
; within eval(). If the whitelist is empty the blacklist is evaluated,
; otherwise calling a function not in the whitelist will terminate the script
; and get logged.
;suhosin.executor.eval.whitelist = 

; Comma separated blacklist of functions that are not allowed to be called from
; within eval(). If no whitelist is given, calling a function within the
; blacklist will terminate the script and get logged.

; Newest thing we learned. Disable any include,curl,fpassthru,base64_encode,mail
; and others in eval(). This is Security by obscurity, however it works
; very well for shared hosts when an attacker is able to upload a bad
; script. Most of the current scripts use obfuscated code decoded from
; base64 and then eval()'ed. This stops them, until they learn something new.
suhosin.executor.eval.blacklist=include,include_once,require,require_once,
curl_init,fpassthru,file,base64_encode,base64_decode,mail,exec,system,proc_open,
leak,syslog,pfsockopen,shell_exec,ini_restore,symlink,stream_socket_server,
proc_nice,popen,proc_get_status,dl, pcntl_exec, pcntl_fork, pcntl_signal,
pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled,
pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept,
socket_bind, socket_connect, socket_create, socket_create_listen,
socket_create_pair,link,register_shutdown_function,register_tick_function

; eval() is a very dangerous statement and therefore you might want to disable
; it completely. Deactivating it will however break lots of scripts. Because
; every violation is logged, this allows finding all places where eval() is
; used.
suhosin.executor.disable_eval = Off

; The /e modifier inside preg_replace() allows code execution. Often it is the
; cause for remote code execution exploits. It is wise to deactivate this
; feature and test where in the application it is used. The developer using the
; /e modifier should be made aware that he should use preg_replace_callback()
; instead.
;suhosin.executor.disable_emodifier = Off

; This flag reactivates symlink() when open_basedir is used, which is disabled
; by default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used
; is actually a security risk. 
;suhosin.executor.allow_symlink = Off

; -----------------------------------------------------------------------------
; Misc Options

; If you fear that Suhosin breaks your application, you can activate Suhosin's
; simulation mode with this flag. When Suhosin runs in simulation mode,
; violations are logged as usual, but nothing is blocked or removed from the
; request. (Transparent Encryptions are NOT deactivated in simulation mode.)
;suhosin.simulation = Off

; APC 3.0.12(p1/p2) uses reserved resources without requesting a resource slot
; first. It always uses resource slot 0. If Suhosin got this slot assigned APC
; will overwrite the information Suhosin stores in this slot. When this flag is
; set Suhosin will request 2 Slots and use the second one. This allows working
; correctly with these buggy APC versions.
;suhosin.apc_bug_workaround = Off

; When a SQL Query fails scripts often spit out a bunch of useful information
; for possible attackers. When this configuration directive is turned on, the
; script will silently terminate, after the problem has been logged. (This is
; not yet supported)
;suhosin.sql.bailout_on_error = Off

; This is an experimental feature for shared environments. With this
; configuration option it is possible to specify a prefix that is automatically
; prepended to the database username, whenever a database connection is made.
; (Unless the username starts with the prefix)
;suhosin.sql.user_prefix = 

; This is an experimental feature for shared environments. With this
; configuration option it is possible to specify a postfix that is
; automatically appended to the database username, whenever a database
; connection is made. (Unless the username end with the postfix)
;
; With this feature it is possible for shared hosters to disallow customers to
; connect with the usernames of other customers. This feature is experimental,
; because support for PDO and PostgreSQL are not yet implemented. 
;suhosin.sql.user_postfix = 

; This directive controls if multiple headers are allowed or not in a header()
; call. By default the Hardening-Patch forbids this. (HTTP headers spanning
; multiple lines are still allowed).
;suhosin.multiheader = Off

; This directive controls if the mail() header protection is activated or not
; and to what degree it is activated. The appended table lists the possible
; activation levels.
suhosin.mail.protect = 2

; As long scripts are not running within safe_mode they are free to change the
; memory_limit to whatever value they want. Suhosin changes this fact and
; disallows setting the memory_limit to a value greater than the one the script
; started with, when this option is left at 0. A value greater than 0 means
; that Suhosin will disallows scripts setting the memory_limit to a value above
; this configured hard limit. This is for example usefull if you want to run
; the script normaly with a limit of 16M but image processing scripts may raise
; it to 20M.
suhosin.memory_limit = 512M

; -----------------------------------------------------------------------------
; Transparent Encryption Options

; Flag that decides if the transparent session encryption is activated or not.
suhosin.session.encrypt = Off

; Session data can be encrypted transparently. The encryption key used consists
; of this user defined string (which can be altered by a script via ini_set())
; and optionally the User-Agent, the Document-Root and 0-4 Octects of the
; REMOTE_ADDR.
suhosin.session.cryptkey = Off

; Flag that decides if the transparent session encryption key depends on the
; User-Agent field. (When activated this feature transparently adds a little
; bit protection against session fixation/hijacking attacks)
suhosin.session.cryptua = Off

; Flag that decides if the transparent session encryption key depends on the
; Documentroot field.
;suhosin.session.cryptdocroot = On

; Number of octets (0-4) from the REMOTE_ADDR that the transparent session
; encryption key depends on. Keep in mind that this should not be used on sites
; that have visitors from big ISPs, because their IP address often changes
; during a session. But this feature might be interesting for admin interfaces
; or intranets. When used wisely this is a transparent protection against
; session hijacking/fixation. 
;suhosin.session.cryptraddr = 0

; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
; session. The difference to suhosin.session.cryptaddr is, that the IP is not
; part of the encryption key, so that the same session can be used for
; different areas with different protection levels on the site.
;suhosin.session.checkraddr = 0

; Flag that decides if the transparent cookie encryption is activated or not.
suhosin.cookie.encrypt = 0

; Cookies can be encrypted transparently. The encryption key used consists of
; this user defined string and optionally the User-Agent, the Document-Root and
; 0-4 Octects of the REMOTE_ADDR.
;suhosin.cookie.cryptkey = 

; Flag that decides if the transparent session encryption key depends on the
; User-Agent field. (When activated this feature transparently adds a little
; bit protection against session fixation/hijacking attacks (if only session
; cookies are allowed))
;suhosin.cookie.cryptua = On

; Flag that decides if the transparent cookie encryption key depends on the
; Documentroot field.
;suhosin.cookie.cryptdocroot = On

; Number of octets (0-4) from the REMOTE_ADDR that the transparent cookie
; encryption key depends on. Keep in mind that this should not be used on sites
; that have visitors from big ISPs, because their IP address often changes
; during a session. But this feature might be interesting for admin interfaces
; or intranets. When used wisely this is a transparent protection against
; session hijacking/fixation.
;suhosin.cookie.cryptraddr = 0

; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not
; part of the encryption key, so that the same cookie can be used for different
; areas with different protection levels on the site.
;suhosin.cookie.checkraddr = 0

; In case not all cookies are supposed to get encrypted this is a comma
; separated list of cookie names that should get encrypted. All other cookies
; will not get touched.
;suhosin.cookie.cryptlist = 

; In case some cookies should not be crypted this is a comma separated list of
; cookies that do not get encrypted. All other cookies will be encrypted.
;suhosin.cookie.plainlist = 

; -----------------------------------------------------------------------------
; Filtering Options

; Defines the reaction of Suhosin on a filter violation.
suhosin.filter.action = 402

; Defines the maximum depth an array variable may have, when registered through
; the COOKIE.
;suhosin.cookie.max_array_depth = 50

; Defines the maximum length of array indices for variables registered through
; the COOKIE.
;suhosin.cookie.max_array_index_length = 64

; Defines the maximum length of variable names for variables registered through
; the COOKIE. For array variables this is the name in front of the indices.
;suhosin.cookie.max_name_length = 64

; Defines the maximum length of the total variable name when registered through
; the COOKIE. For array variables this includes all indices.
;suhosin.cookie.max_totalname_length = 256

; Defines the maximum length of a variable that is registered through the
; COOKIE.
;suhosin.cookie.max_value_length = 10000

; Defines the maximum number of variables that may be registered through the
; COOKIE.
;suhosin.cookie.max_vars = 100

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.cookie.disallow_nul = 1

; Defines the maximum depth an array variable may have, when registered through
; the URL
;suhosin.get.max_array_depth = 50

; Defines the maximum length of array indices for variables registered through
; the URL
;suhosin.get.max_array_index_length = 64

; Defines the maximum length of variable names for variables registered through
; the URL. For array variables this is the name in front of the indices.
;suhosin.get.max_name_length = 64

; Defines the maximum length of the total variable name when registered through
; the URL. For array variables this includes all indices.
;suhosin.get.max_totalname_length = 256

; Defines the maximum length of a variable that is registered through the URL.
;suhosin.get.max_value_length = 512

; Defines the maximum number of variables that may be registered through the
; URL.
;suhosin.get.max_vars = 100

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.get.disallow_nul = 1

; Defines the maximum depth an array variable may have, when registered through
; a POST request.
suhosin.post.max_array_depth = 8048

; Defines the maximum length of array indices for variables registered through
; a POST request.
suhosin.post.max_array_index_length = 1024

; Defines the maximum length of variable names for variables registered through
; a POST request. For array variables this is the name in front of the indices.
suhosin.post.max_name_length = 2048

; Defines the maximum length of the total variable name when registered through
; a POST request. For array variables this includes all indices.
suhosin.post.max_totalname_length = 8192

; Defines the maximum length of a variable that is registered through a POST
; request.
;suhosin.post.max_value_length = 1000000

; Defines the maximum number of variables that may be registered through a POST
; request.
suhosin.post.max_vars = 4096

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.post.disallow_nul = 1

; Defines the maximum depth an array variable may have, when registered through
; GET , POST or COOKIE. This setting is also an upper limit for the separate
; GET, POST, COOKIE configuration directives.
suhosin.request.max_array_depth = 4096

; Defines the maximum length of array indices for variables registered through
; GET, POST or COOKIE. This setting is also an upper limit for the separate
; GET, POST, COOKIE configuration directives.
suhosin.request.max_array_index_length = 2048

; Defines the maximum length of variable names for variables registered through
; the COOKIE, the URL or through a POST request. This is the complete name
; string, including all indicies. This setting is also an upper limit for the
; separate GET, POST, COOKIE configuration directives.
suhosin.request.max_totalname_length = 8192

; Defines the maximum length of a variable that is registered through the
; COOKIE, the URL or through a POST request. This setting is also an upper
; limit for the variable origin specific configuration directives.
suhosin.request.max_value_length = 650000

; Defines the maximum number of variables that may be registered through the
; COOKIE, the URL or through a POST request. This setting is also an upper
; limit for the variable origin specific configuration directives.
suhosin.request.max_vars = 4096

; Defines the maximum name length (excluding possible array indicies) of
; variables that may be registered through the COOKIE, the URL or through a
; POST request. This setting is also an upper limit for the variable origin
; specific configuration directives.
;suhosin.request.max_varname_length = 64

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.request.disallow_nul = 1

; When set to On the dangerous characters <>"'` are urlencoded when found
; not encoded in the server variables REQUEST_URI and QUERY_STRING. This
; will protect against some XSS vulnerabilities.
;suhosin.server.encode = 1

; When set to On the dangerous characters <>"'` are replaced with ? in
; the server variables PHP_SELF, PATH_TRANSLATED and PATH_INFO. This will
; protect against some XSS vulnerabilities.
;suhosin.server.strip = 1

; Defines the maximum number of files that may be uploaded with one request.
suhosin.upload.max_uploads = 100

; When set to On it is not possible to upload ELF executables.
;suhosin.upload.disallow_elf = 1

; When set to On it is not possible to upload binary files.
;suhosin.upload.disallow_binary = 0

; When set to On binary content is removed from the uploaded files.
;suhosin.upload.remove_binary = 0

; This defines the full path to a verification script for uploaded files. The
; script gets the temporary filename supplied and has to decide if the upload
; is allowed. A possible application for this is to scan uploaded files for
; viruses. The called script has to write a 1 as first line to standard output
; to allow the upload. Any other value or no output at all will result in the
; file being deleted.
suhosin.upload.verification_script = "/usr/bin/upload.sh"

; Specifies the maximum length of the session identifier that is allowed. When
; a longer session identifier is passed a new session identifier will be
; created. This feature is important to fight bufferoverflows in 3rd party
; session handlers.
;suhosin.session.max_id_length = 128

; Undocumented: Controls if suhosin coredumps when the optional suhosin patch 
; detects a bufferoverflow, memory corruption or double free. This is only
; for debugging purposes and should not be activated.
;suhosin.coredump = Off

; Undocumented: Controls if the encryption keys specified by the configuration
; are shown in the phpinfo() output or if they are hidden from it
;suhosin.protectkey = 1

; Controls if suhosin loads in stealth mode when it is not the only
; zend_extension (Required for full compatibility with certain encoders 
;  that consider open source untrusted. e.g. ionCube, Zend)
;suhosin.stealth = 1

; Controls if suhosin's ini directives are changeable per directory
; because the admin might want to allow some features to be controlable
; by .htaccess and some not. For example the logging capabilities can
; break safemode and open_basedir restrictions when .htaccess support is
; allowed and the admin forgot to fix their values in httpd.conf
; An empty value or a 0 will result in all directives not allowed in
; .htaccess. The string "legcprsum" will allow logging, execution, get, 
; post, cookie, request, sql, upload, misc features in .htaccess
;suhosin.perdir = "0"

Jesus_Caceres