ENH: Change lighttpd-fastcgi to suhosin, and improve regex and samples

suhosin is hardened php implmentation, which will log the alerts (as seen in samples) to stderr, which is picked up by fastcgi webserver (e.g. lighttpd, apache, nginx)
12 years ago · 8b9bafda79
parent 4033857f63
commit 8b9bafda79
4 changed files with 10 additions and 15 deletions
--- a/2
+++ b/2
@ -101,7 +101,7 @@ config/filter.d/couriersmtp.conf
 config/filter.d/cyrus-imap.conf
 config/filter.d/exim.conf
 config/filter.d/gssftpd.conf
-config/filter.d/lighttpd-fastcgi.conf
+config/filter.d/suhosin.conf
 config/filter.d/named-refused.conf
 config/filter.d/postfix.conf
 config/filter.d/proftpd.conf
--- a/config/filter.d/lighttpd-fastcgi.conf
+++ b/config/filter.d/lighttpd-fastcgi.conf
@ -9,7 +9,8 @@
 # Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
 # Values:  TEXT
 #
-failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
+# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
+failregex = ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/jail.conf
+++ b/config/jail.conf
@ -256,25 +256,15 @@ filter  = php-url-fopen
 logpath = /var/www/*/logs/access_log
 maxretry = 1

-# A simple PHP-fastcgi jail which works with lighttpd.
-# If you run a lighttpd server, then you probably will
-# find these kinds of messages in your error_log:
-# ALERT – tried to register forbidden variable ‘GLOBALS’
-# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
-# This jail would block the IP 1.2.3.4.
-
-[lighttpd-fastcgi]
+[suhosin]

 enabled = false
-filter  = lighttpd-fastcgi
-action  = iptables-multiport[name=lighttpd-fastcgi, port="http,https"]
+filter  = suhosin
+action  = iptables-multiport[name=suhosin, port="http,https"]
 # adapt the following two items as needed
 logpath = /var/log/lighttpd/error.log
 maxretry = 2

-# Same as above for mod_auth
-# It catches wrong authentications
-
 [lighttpd-auth]

 enabled = false
--- a/testcases/files/logs/suhosin
+++ b/testcases/files/logs/suhosin
@ -0,0 +1,4 @@
+# failJSON: { "time": "2005-03-11T22:52:12", "match": true , "host": "198.51.100.167" }
+Mar 11 22:52:12   lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '198.51.100.167', file '/usr/local/captiveportal/index.php')
+# failJSON: { "time": "2005-02-26T22:52:29", "match": true , "host": "198.51.100.77" }
+Feb 26 22:52:29 host suhosin[9636]: ALERT - script tried to increase memory_limit to 268435456 bytes which is above the allowed value (attacker '198.51.100.77', file '/var/www/wordpress/wp-admin/includes/image.php', line 161)