Use anchored failregex for filters to avoid possible DoS -- lighttpd-fastcgi

config/filter.d/lighttpd-fastcgi.conf

@@ -3,13 +3,24 @@
 # Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
 [Definition]
 
 # Option:  failregex
 # Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
 # Values:  TEXT
 #
-failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
+_daemon = (?:lighttpd|suhosin)
+
+_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
+
+failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
+
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

debian/changelog

@@ -10,6 +10,7 @@ fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
     - couriersmtp.conf - anchored on both sides
     - exim.conf - front-anchored versions picked up from exim.conf
       and exim-spam.conf
+    - lighttpd-fastcgi.conf - front-anchored picked up from suhosin.conf
 
  -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 22 Jun 2014 11:56:54 -0400