It's nice that we can also use the internet to illustrate and graph the evolution of this revolution through the Middle East. A great tool to do this is Google Insights for Search. (One could also use Google Trends to accomplish this but Trends has far less features)

If we graph out the search volume of the names of some countries where the revolutions is burning we can immediately see the sequence of countries where major events are taking place

This Insights analysis clearly learns us when the Jasmine Revolution in Tunisia began, in fact we only graph out the google search volume for the keyword "Tunesia"

If we align a similar graph about the keyword "Egypt" we see that the rumors in Cairo were at its maximum about two weeks later:

We can do the same Algeria, Bahrain and Libya to see when major events took place there (actually they are taking place right now in Libya):

If we import all the Google Insights data as CSV, import it in excel and use some conditional formatting we can show a nice heatmap of the events that took place in the Middle East:

click on the image to enlarge

We can also link this data to Microsoft Mappoint, this is the situation on Feb 21, 2011:

click on the image to enlarge

One of the things I really wanted to implement was limiting the execution of potentially insecure php functions like:

It would be fairly easy to disable all these functions by adding the following line to /etc/php.ini:

disable_functions = exec, passthru, shell_exec, system, pcntl_exec, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, popen, curl_multi_exec, show_source, curl_exec, parse_ini_file

A major disadvantage of this approach would be that all these functions are disabled for all domains, this is unacceptable, quite some wordpress sites use curl_exec, one of my SEO-enhanced OSCommerce sites uses parse_ini_file ... These sites would not function properly anymore...

One could suggest to override the disabled_functions directive in Plesk's per domain vhosts.conf file, but this wouldn't work, once set in /etc/php.ini, disable_functions cannot be overridden.

In a search to tackle this problem I came across suhosin, an an advanced protection system for PHP installations, suhosin has a directive called suhosin.executor.func.blacklist that can be set in php.ini and overriden in you per domain vhosts.conf.

So how do we configure all this?

• I started with a CentOS 5.5 install with Plesk 10 on it
• Make sure you have yum installed on your system
• Add the atomic repo to your yum repositories by executing:
  wget -q -O - http://www.atomicorp.com/installers/atomic | sh
• Install suhosin,this step is extremely complicated once you have yum and the atomic repo
  yum install suhosin
• Add the following line to /etc/php.ini :
  suhosin.executor.func.blacklist = exec, passthru, shell_exec, system, pcntl_exec, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, popen, curl_multi_exec, show_source, curl_exec, parse_ini_file, ini_alter
• If you want a function to be enabled for a specific domain, just override the suhosin.executor.func.blacklist directive in your domain-specific vhosts.conf file and leave the function you want to re-enable out of the list.
  let's say we want to enable curl_exec on my domain icat.be, we then edit (or create) the file /var/www/vhosts/icat.be/conf/vhost.conf and add the following line:
  php_admin_value suhosin.executor.func.blacklist "exec, passthru, shell_exec, system, pcntl_exec, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, popen, curl_multi_exec, show_source, parse_ini_file, ini_alter"
Notice the abcense of the curl_exec function
• Apply your settings with:
  /usr/local/psa/admin/sbin/httpdmng --reconfigure-all
• To test all this and make sure you didn't forget to enable any functions that are required for the proper functioning of your websites, check you logs with
  grep suhosin /var/log/messages
  If a function is blocked you'll see something like:
  Jan 29 14:24:01 iCAT suhosin[19913]: ALERT - function within blacklist called: curl_exec() (attacker '66.249.66.11', file '/var/www/vhosts/icat.be/httpdocs/wp-includes/class-http.php', line 1402)