Suhosin for PHP in EasyApache 4 (EA4)

cPanelDon shared this idea 10 months ago
Pre-Release

As a server administrator I want Suhosin for all available PHP versions in EasyApache 4 (EA4) so that I can better mitigate malicious PHP activity and better protect my systems. Prior to EA4 we could find Suhosin in both stock EasyApache 3 (EA3) and the Hardened PHP (alt-php) packages from CloudLinux, but after migrating to EasyApache 4 Suhosin support was lost. Please bring back support for Suhosin so there is improved feature parity in EA4 when compared to its predecessor, EA3. I do not want to rely solely on other mechanisms like ModSecurity which are not consistently supported (e.g., mod_security not available when using ITK or ruid2).

Best Answer
photo

I built these packages over the weekend for suhosin. You can install php-suhosin for PHP54 - PHP56 off the EA4-experimental repository now. Once we receive feedback on how it works, we'll promote this package to our EA4 mainline repositories.

  1. yum install ea4-experimental
  2. yum install ea-php##-php-suhosin

Make sure to replace '##' with 54 for PHP version 5.4, for example.

You can read more about the experimental repo here:

https://documentation.cpanel.net/display/EA4/The+Experimental+Repository

Comments (13)

photo
3

I understand that if an older version of PHP is not supported in the latest suhosin, that a different version of suhosin could be used for that specific PHP version, which I believe is what the CloudLinux HardenedPHP (alt-php) packages offer. At a minimum, I think EA4 should include the latest suhosin in the versions of PHP that the latest suhosin supports, and then if an older PHP version requires an older suhosin version, to consider supplying that older suhosin version in the older PHP version, or determine if HardenedPHP packages might be able to fill-in the gaps for those needing legacy PHP support.

photo
4

Suhosin is supported in EasyApache3, why would it not be supported in EasyApache4? Seems like a great idea to me and well worth the effort given the added security it offers.

photo
6

The absence of the Suhosin is my only obstacle to the use of EasyApache 4

photo
6

Since always has been offered suhosin in cpanel.

I have serious security problems with the use of eval.

I need suhosin in cpanel

photo
3

This is another of many examples in which Cpanel has not been considered with the community in the change, almost forced towards EA4. It is incredible that so arbitrarily, Cpanel remove one system to replace another, eliminating features so necessary for its tens of thousands of customers.

photo
2

I completely understand your frustrations, and I'm sorry for the problems you're seeing. I do want to point out, though, that saying the community hasn't been considered isn't true, and the push toward EA4 isn't at all arbitrary. We're continuing to expand the things that are supported in EasyApache 4, and the team is working hard to make it possible for 100% of our customers to convert from EA3. As soon as we've started considering this or building it we'll definitely let everyone know here!

photo
photo
2

Yes... is important I upgraded 3 servers to easyapache with out suhosin and 2 joomlas had been compromised.

photo
2

We're also waiting for suhosing support in EA4, meanwile we're going to keep EA3.

photo
4

We have more than 50 shared hosting servers in BenzaHosting. We have only migrated 5 with EA4. We do not want to continue migrating to EA4 for not having suhosin

photo
5

Hi,

We'll be building out php-suhosin for EA4 here shortly. I've created case EA-5847 to track this. When we've started working on it, I'll be sure to update this feature request.

Thanks to all for your feedback!

photo
1

Is this likely to be released prior to the end of EA3 support?

photo
1

It's not certain yet, but I would say it's likely. As soon as we know for sure, we'll definitely share that here.

photo
photo
3

I built these packages over the weekend for suhosin. You can install php-suhosin for PHP54 - PHP56 off the EA4-experimental repository now. Once we receive feedback on how it works, we'll promote this package to our EA4 mainline repositories.

  1. yum install ea4-experimental
  2. yum install ea-php##-php-suhosin

Make sure to replace '##' with 54 for PHP version 5.4, for example.

You can read more about the experimental repo here:

https://documentation.cpanel.net/display/EA4/The+Experimental+Repository