Log4Shell Protection

blog20211213-01.cfg

frontend myfrontend
   option http-buffer-request
   acl log4shell url,url_dec -i -m reg (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))
   acl log4shell req.hdrs -i -m reg (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))
   acl log4shell_form req.body,url_dec -i -m reg (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))                                  
   http-request deny if log4shell
   http-request deny if { req.fhdr(content-type) -m str application/x-www-form-urlencoded } log4shell_form

blog20211213-03.conf

SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML://*|XML://@* "@rx (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))" \
    "id:1005,\
    phase:2,\
    block,\
    t:none,t:urlDecodeUni,t:cmdline,\
    log,\
    msg:'Potential Remote Command Execution: Log4j CVE-2021-44228', \
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/137/6',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/1',\
    ver:'OWASP_CRS/3.4.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

blog20211213-04.sh

$ curl 'localhost/?foo=%24%7B%24%7Blower%3A%24%7Blower%3Ajndi%7D%7D%3A%24%7Blower%3Armi%7D%3A%2F%2F127.0.0.1%2Fpoc'

blog20211213-05.conf

Include /etc/hapee-2.4/modsec.rules.d/crs-setup.conf

blog20211213-06.conf

Include modsecurity/crs-setup.conf