Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. How can I install suhosin extension on a Debian v8.x or Ubuntu Linux 14.04 LTS server?

Suhosin (Korean 수호신, meaning guardian-angel) is used to securing PHP web applications such as WordPress and others. Suhosin comes as the extension and the patch. Both parts can be installed separately and have no dependencies to each other. [donotprint]
Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements None
Est. reading time 5m

How To Installing Suhosin on Debian and Ubuntu [Binary Method]

Type the following command on a Ubuntu Linux 14.04 LTS server:

sudo -s
echo 'deb ubuntu-trusty main' >> /etc/apt/sources.list
apt-get update

Debian Linux 8.x user type the following command:

sudo -s
echo 'deb debian-jessie main' >> /etc/apt/sources.list
apt-get update

Sample outputs:

Ign trusty-security InRelease
Get:1 trusty-security Release.gpg [933 B]           
Get:2 trusty-security Release [63.5 kB]             
Ign trusty InRelease                                 
Ign trusty-updates InRelease                         
Get:3 trusty-security/main amd64 Packages [319 kB]
Hit trusty Release.gpg                              
Ign ubuntu-trusty InRelease                            
Get:4 trusty-security/restricted amd64 Packages [8,875 B]
Get:5 trusty-security/universe amd64 Packages [111 kB]
Get:6 trusty-updates Release.gpg [933 B]             
Get:7 trusty-security/multiverse amd64 Packages [3,683 B]
Get:8 ubuntu-trusty Release.gpg [816 B]                
Get:9 trusty-security/main Translation-en [172 kB]  
Hit trusty Release                                   
Get:10 ubuntu-trusty Release [1,074 B]                 
Get:11 trusty-updates Release [63.5 kB]              
Get:12 ubuntu-trusty/main amd64 Packages [722 B]       
Hit trusty-security/multiverse Translation-en       
Hit trusty/main amd64 Packages                       
Hit trusty-security/restricted Translation-en       
Hit trusty-security/universe Translation-en         
Hit trusty/restricted amd64 Packages                 
Hit trusty/universe amd64 Packages        
Hit trusty/multiverse amd64 Packages           
Hit trusty/main Translation-en           
Hit trusty/multiverse Translation-en
Ign ubuntu-trusty/main Translation-en_US
Hit trusty/restricted Translation-en
Ign ubuntu-trusty/main Translation-en
Hit trusty/universe Translation-en
Get:13 trusty-updates/main amd64 Packages [584 kB]
Get:14 trusty-updates/restricted amd64 Packages [11.8 kB]
Get:15 trusty-updates/universe amd64 Packages [297 kB]
Get:16 trusty-updates/multiverse amd64 Packages [12.0 kB]
Hit trusty-updates/main Translation-en
Hit trusty-updates/multiverse Translation-en
Hit trusty-updates/restricted Translation-en
Hit trusty-updates/universe Translation-en
Ign trusty/main Translation-en_US
Ign trusty/multiverse Translation-en_US              
Ign trusty/restricted Translation-en_US              
Ign trusty/universe Translation-en_US                
Fetched 1,651 kB in 6s (250 kB/s)                                              
Reading package lists... Done

The repository is signed with key, so install it with wget command:

## Run as root user ##
sudo apt-key add repository.asc

Sample outputs:

Fig.01: Installing key

Next, type the following apt-get command to install the php5-suhosin-extension package, run:
sudo apt-get install php5-suhosin-extension

Sample outputs:

Fig.02: Installing php5-suhosin-extension package

Enable the php5-suhosin-extension

sudo php5enmod php5-suhosin

Restart php5-fpm on a Ubuntu LTS 14.04

sudo /sbin/restart php5-fpm

Restart php5-fpm on a Debian Linux 8.0

sudo systemctl restart php5-fpm

Test it

Create a file called test.php:

sudo vi /var/www/test.php

Append the following code:


Save and close the file. You can open the Browser and type the following url:
Sample outputs:

Fig.03: Suhosin enabled on server


You need to edit the file /etc/php5/mods-available/suhosin.ini, enter:
# vi /etc/php5/mods-available/suhosin.ini
You can see comma separated whitelist of functions are not allowed to be called:

suhosin.executor.func.blacklist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand
suhosin.executor.eval.whitelist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand

Save and close the file. You need to restart php5-fpm. I suggest you see the configuration page for a complete list of possible configuration options.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 5 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
5 comments… add one
  • Steven Jul 30, 2015 @ 3:39

    I’m a beginner and I was wondering, why do we need to install Suhosin ?
    Which hacks or kind of hacks are prevent by this extension ?

  • Victor T. Aug 3, 2015 @ 4:24

    Steven, for example, there are tons of WordPress exploits that a user could gain access to your OS. They can then us it to send SPAM, or as a part of a larger botnet to hack other sites or DDoS attacks. I’m sysadmin for a hosting company and this is a constant struggle.

  • Peter M Aug 3, 2015 @ 11:57

    Another great article, thanks!

    A few questions about “best-practice”:
    * Why not create a new repo file in /etc/apt/sources.d/ instead of appending to sources.list? I’ve started doing this based on previous reading and found it’s far easier to manage dist-upgrades.
    * At the beginning you have “sudo -s”.
    — Again, I’ve read “sudo -i” is the better flag to use?
    — Also, once in “sudo -s”, there are still references all through to using sudo, but no point to exit from the original sudo shell.

  • Hubert Trzewik Feb 17, 2016 @ 16:25

    Had to do “sudo php5enmod suhosin” instead “sudo php5enmod php5-suhosin“, because there is /etc/php5/mods-available/suhosin.ini file not /etc/php5/mods-available/php5-suhosin.ini .

    • dan mills Apr 9, 2016 @ 10:11

      This works. Thanks Hubert!

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum