fail2ban/config/filter.d/suhosin.conf

# Fail2Ban configuration file
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = (?:lighttpd|suhosin)

# Option:  failregex
# Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
# Values:  TEXT
#
# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161

_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)

failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
added two new filter files (PHP url_fopen, lighttpd fastcgi alerts), updated MANIFEST and jail.conf accordingly git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@742 a942ae1a-1317-0410-a47c-b1dcaea8d605 15 years ago			`# Fail2Ban configuration file`
			`#`
			`# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>`
			`#`

ENH: filter.d/suhosin - anchor regex at start 11 years ago			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
			`before = common.conf`


added two new filter files (PHP url_fopen, lighttpd fastcgi alerts), updated MANIFEST and jail.conf accordingly git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@742 a942ae1a-1317-0410-a47c-b1dcaea8d605 15 years ago			`[Definition]`

ENH: filter.d/suhosin - anchor regex at start 11 years ago			`_daemon = (?:lighttpd\|suhosin)`

added two new filter files (PHP url_fopen, lighttpd fastcgi alerts), updated MANIFEST and jail.conf accordingly git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@742 a942ae1a-1317-0410-a47c-b1dcaea8d605 15 years ago			`# Option: failregex`
			`# Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module`
			`# Values: TEXT`
			`#`
ENH: Change lighttpd-fastcgi to suhosin, and improve regex and samples suhosin is hardened php implmentation, which will log the alerts (as seen in samples) to stderr, which is picked up by fastcgi webserver (e.g. lighttpd, apache, nginx) 12 years ago			`# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161`
ENH: filter.d/suhosin - anchor regex at start 11 years ago
			`_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)`

			`failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$`
added two new filter files (PHP url_fopen, lighttpd fastcgi alerts), updated MANIFEST and jail.conf accordingly git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@742 a942ae1a-1317-0410-a47c-b1dcaea8d605 15 years ago
			`# Option: ignoreregex`
			`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
			`# Values: TEXT`
			`#`
			`ignoreregex =`