Snuffleupagus: the PHP protection shield


The IT security tool Snuffleupagus secures your PHP servers against most IT attacks. Developed by our security experts and distributed as free software, it is very easy to use. By default, this tool protects our clients’ servers that use the high-security hosting solution CerberHost.

PHP security: why use Snuffleupagus?

PHP is a language specially designed for developing dynamic web applications. Unlike JavaScript, it is executed on your servers directly, not on your users’ browsers.

The Snuffleupagus module acts directly on your PHP applications with no loss of performance. Right within PHP, it blocks suspicious behaviour and prevents certain angerous functions from running. This way, it makes it very complex and costly to exploit entire families of IT vulnerabilities. You and your clients are better protected against attacks.

The tool also allows you to implement virtual patching to improve your reaction time by correcting new vulnerabilities as they are published. Virtual patching also continues to generally prohibit dangerous functions while allowing them for operating or updating your CMS or framework, where these functions are essential. You are protected while keeping your operating habits.

This is this server security tool’s big advantage: it is easy to use in highly industrialised environments. It lightens security processes and reduces integration and acceptance testing time, making your production team’s daily work easier. Furthermore, it was specifically designed for PHP7, and its rules file allows it to adapt to your application’s specificities.

Snuffleupagus is a replacement for Suhosin, an open source tool that also makes PHP secure but is no longer maintained, does not work with PHP7, and has certain limits. We would like to take this opportunity to thank this project team who showed us the way!

Secure server: NBS System’s open source expertise

year of Research & Development

Snuffleupagus: their stories

“Snuffleupagus has proved to be a very valuable tool so far.”

Read the article on Snuffleupagus from Toolslib

“PHP7 is arriving fast, incompatible with Suhosin and carrying its own batch of security problems. Thankfully, Snuffleupagus is here to protect us! ”

Read the article (in French) published on Linux Mag about Snuffleupagus

How can you use Snuffleupagus?

You can download the open source PHP module on the Snuffleupagus GitHub page. You can install it directly on your servers. Contact your web host for assistance if you need it!

However, take care not to install this server protection tool as is: certain very restrictive rules may not be appropriate for your site and could cause it to malfunction. You can start by using the simulation mode to check the tool’s impact on your application before rolling it out into production.

When should you use Snuffleupagus?

Snuffleupagus needs to be constantly up and running so that it can be effective and act in real time. Once installed on your server, it should not be disabled.

How does Snuffleupagus work?

Virtual patching: general rules that can be activated depending on your needs

Virtual patching lets you create a virtual fix very quickly after a vulnerability is published. By applying it to Snuffleupagus, you can protect your PHP application immediately without shutting down production, and you can then take the time to plan an update for the vulnerable software.

The tool also comes with a set of already established rules. By default, these protect you against any lack of PHP-related checks that can lead to code injections and other common vulnerabilities. For example, these allow you to limit running files to those with legitimate file extensions (.php, . inc, or .tpl).

These rules can be activated or deactivated individually … and you can add your own!

PHP protection: restricting functions to legitimate uses

Virtual patching on Snuffleupagus has another goal: restricting the use of PHP functions. Some of them are considered dangerous because they can be diverted from their intended use during computer attacks.

This PHP module uses virtual patching to restrict the use of these functions only to cases where they are necessary, protecting you against this type of risk. The tool contains a script that generates a whitelist specific to your application, so it works perfectly with it.

For example, the “system” function that runs an external programme and displays the result can be used to execute arbitrary code. With this virtual fix system, it can be allowed only in a single file where we know it is legitimate.

PHP security: continuous improvement

However, virtual patching requires time to write effective rules and maintenance to stay effective whenever new vulnerabilities are discovered and when your applications change. Hackers are always on the move, always innovating, and always looking for new ways to attack. Snuffleupagus is also made to evolve and to help you detect vulnerabilities and new kinds of attacks.

The tool has a feature that lists certain queries that are similar to exploit attempts to detect models more easily and build effective, appropriate protection.

Furthermore, adding new filtering rules or new protections may have unintended impacts on your application. Snuffleupagus allows you to test these new features through a “simulation” mode which will record all the events corresponding to your new rule without stopping them from running. This way, you can study these rules’ impact before putting them into production on your PHP applications.

IT security for entire classes of vulnerabilities

These rules can block emerging queries, but most are intended for general protection by “killing” a maximum of vulnerabilities and secure your PHP.

Some are original. Others were inspired by other projects or open source tools. As much as possible, our experts have given credit for these ideas on the Snuffleupagus features description page. Since there is a wide variety of protection, we will not list them all on this page. Here are a few examples.

Protection against data theft and code execution

Snuffleupagus prevents hackers from executing arbitrary code on your servers, one of the worst situations that you could encounter since it can allow them to do pretty much whatever they want on your machine.

The tool checks and applies restrictions on uploaded files to detect suspicious behaviour. It will alert you if needed and immediately stop the current process.

Snuffleupagus also prevents calls to external elements in XML that might allow hackers to read some of your data. To maintain a satisfactory level of encryption, it also replaces certain PHP functions that generate random numbers with a low level of entropy with another, more secure function. It also makes sure that serialised data is intact to prevent them from being manipulated, which could lead to arbitrary code being executed.

Protecting your internet users

Hackers do not just concentrate on your businesses, and your application or website could be used to attack your users. They should be protected: this is your responsibility. For example, some users reuse their passwords. If your site is compromised, it could lead to others being compromised as well.

Snuffleupagus prevents your users’ cookies from being sent to third-party sites, avoiding cross-site request forgery. The tool also prevents cookie theft by encrypting them via a key with several components that are specific to each user. It will also mark them as secure if your visitor connects via HTTPS. 

Best IT security practices

Often, hackers exploit easy flaws that exist on websites’ underlying infrastructure that do not respect best security practices. By default, Snuffleupagus activates the “strict” mode included in PHP7, prohibits certain bad practices, and even offers a file of PHP configuration best practices by default that you can use for inspiration.

Do you want to find out more about Snuffleupagus, or are you looking for a service provider who is active in the open source ecosystem?

Contact us!