I noticed a vague mention of Sohosin on a PHP blog that I read on occasion and I decided to give it a whirl to see if it’s as sexy as is sounds. So far my server hasn’t crashed, so I’m willing to recommend it to anyone who’s interested in hardening their PHP. Ok, sorry. I really can’t say that without chuckling. Yes, welcome back to third grade.

If you check out the developer’s site you should pretty much get the idea of what it does, but basically closes some of the security holes that we see with PHP all the time. Not to say that it will make your php 4.3/MySQL3/globals on/port 22 open server any more secure, but if you’re running any of the latest stable security releases you might be somewhat interested.

I’m currently running PHP 5.2.1, which is the latest release of PHP5 at the time of this writing. You can essentially install this on any PHP4+ server that you have root SSH access to. I opted to install the DSO, as I absolutely hate recompiling PHP. Installing Suhosin as a dynamic shared module will not require you do recompile anything, and is therefore the preferred method for lazy people.

Note: I’m using the latest (and only) release at the time of my writing, but head over to the download page to see if there is anything newer:

http://www.hardened-php.net/suhosin/download.html

cd /usr/src
wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.20.tgz
tar -xvzf suhosin-0.9.20.tgz
cd suhosin-0.9.20

Now to install:

phpize
./configure
make
make install

It should return a line something like this:

Installing shared extensions: /usr/local/lib/php/extensions/no-debug-non-zts-20060613/

Now, all you have to do is add this line to your php.ini and restart Apache. Of course, the path should be what the installation output gave you:


[Suhosin]
extension="/usr/local/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so"

**If you are running eAccelerator, this should be above the eAccerelator configuration

When you load up your phpinfo file you should see the module loaded near the Zend section. Everything should be fine as-is, but it you’re one of those people who has to reconfigure everything, knock yourself out.

YBNBY just posted a list of the top ten most subliminally dirty old comic book panels. If you ask me, it looks like the authors of these comic books were trying to be obvious without looking like they were being obvious. It’s kind of like driving down the boardwalk blaring Celine Dion and then pretending to not be a homo.

You can read the article here.

I get this question a lot, so I figured I’d post it here. For those of you who don’t have the convenience of a cPanel-based system, you can block image hotlinking in your .htaccess. Image hotlinking is basically when someone uses an image from your website on their site, but has your site in the <img src..> tags (instead of their own site) so the image loads remotely, and therefore sucks up your bandwidth and resources.

Load up the .htaccess file in your website root (public_html or www folder, usually) and add these lines anywhere in the file:


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://v-nessa.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://v-nessa.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://v-nessa.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://v-nessa.net$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.v-nessa.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.v-nessa.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.v-nessa.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.v-nessa.net$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ http://v-nessa.net [R,NC]

I’m using my two sites, v-nessa.net and it’s parked domain, v-nessa.com. These are sites that I want to allow to display my images. Please note that with Apache, w’s and https matter. So if you have hotlink protection set for yourwebsite.com and someone accesses your site via https://yourwebsite.com or www. yourwebsite.com, they will not be able to see the images unless your allow them as a referrer. Same goes with your subdomains.

This was a little experiment gone somewhat wrong, when I tried to upgrade my VPS to PHP6. I swear it worked, but I should have known that nothing supports it — WordPress just crapped out a bunch of errors. On a higher note though, it seems to be hella secure as you can no longer use magic quotes or globals, otherwise Apache will fail. So if you really want to be on the bleeding edge, here’s how you install PHP6:

I didn’t really need to install a whole bunch of stuff, but depending on how your webserver is already set up you may need to install extra dependencies, but this will become obvious during the compile.

1) Make sure your autoconf version is up to date with version 2.13 or higher:

autoconf -V

2) Install ICU…you can find your version here.

wget ftp://ftp.software.ibm.com/software/globalization/icu/3.6/icu4c-3_6-src.tgz
tar -xzvf icu4c-3_6-src.tgz
cd icu*/source
mkdir /usr/local/icu
./configure --prefix=/usr/local/icu && make && make install

3) Git yur PHP! You can find the latest dev release of PHP6 at http://snaps.php.net/. Your wget and tar targets will be different, as the development version changes frequently.

wget http://snaps.php.net/php6.0-200702230530.tar.gz
tar -xvzf php6.0-200702230530.tar.gz
cd php6.0-200702230530
./buildconf

This will build the configuration and let you know if something is missing. Once this is complete, run the configure script…I’ve the mandatory stuff in there, but you’ll also want to include any PHP modules that you need. You may find it easier to copy this from a phpinfo file, minus the quotes.

./configure --with-apxs=/usr/local/apache/bin/apxs --prefix=/usr/local/ --with-icu-dir=/usr/local/icu

You’ll probably get build errors, which is usually due to 1) a particular module no longer being supported or 2) PHP cannot find that module’s files on the server. In this case you’ll want to see which module the configure command stops at, then either leave it out or make sure the module is compatible with the correct location specification in the configure command. For instance, I have Ming installed and this is the directive in my configure command:

--with-ming=../ming-0.2

Once you have a good build, you can install your PHP:

make && make install

4) Configure Apache

Usually the PHP installation with the –with-apxs switch will add the necessary entries to your httpd.conf, but if not you will need to comment out the loaders for php4/php5 and add the one for php6:

/etc/init.d/httpd restart (or whatever command you use to restart Apache)

LoadModule php5_module libexec/libphp6.so
AddModule mod_php6.c

Now…twenty bucks says that there is now something on the server that doesn’t work, which will be obvious with the Apache restart you just did. You’ll want to check your error logs for the obvious problems, then correct the issues in your php.ini and other files it mentions. The most common issue is with the magic quotes gpc and register globals.

If you have any third-party extensions like Zend. IonCube, or eAccelerator, you’ll need to re-install those as well.

There you have it…you now have PHP6 installed on your server…and now your apps don’t work! You can admire your work next time you try to load your site.

Be sure to make a pretty phpinfo() file to check the installation.

<?php phpinfo() ?>

So I learned today that electric can openers have little magnets in the top that apparently hold on to the lid while the can is being opened.  And get this — apparently you’re supposed to take the stuff out of the can before you put it in the microwave because I guess metal and microwaves don’t go together.  I wonder why they don’t put this kind of stuff of the labels.  I mean, good thing I’m a genius and I figured that out before I could have killed myself.