Skip to content

Instantly share code, notes, and snippets.

@jaygooby
Last active February 2, 2022 12:04
Show Gist options
  • Save jaygooby/3502143639e09bb694e9c0f3c6203949 to your computer and use it in GitHub Desktop.
Save jaygooby/3502143639e09bb694e9c0f3c6203949 to your computer and use it in GitHub Desktop.
fail2ban filter rule for the log4j CVE-2021-44228 exploit
# log4j jndi exploit CVE-2021-44228 filter
# Save this file as /etc/fail2ban/filter.d/log4j-jndi.conf
# then copy and uncomment the [log4j-jndi] section
# to /etc/fail2ban/jail.local
#
# jay@gooby.org
# https://jay.gooby.org/2021/12/13/a-fail2ban-filter-for-the-log4j-cve-2021-44228
# https://gist.github.com/jaygooby/3502143639e09bb694e9c0f3c6203949
# Thanks to https://gist.github.com/kocour for a better regex
#
# Bad actors trying to exploit log4j - instaban them with
# this in your /etc/fail2ban/jail.local
#
# We're using maxretry = 1
# because we know that they're a bad actor...
#
# [log4j-jndi]
# maxretry = 1
# enabled = true
# port = 80,443
# logpath = /path/to/your/*access.log
[Definition]
failregex = (?i)^<HOST> .* ".*\$.*(7B|\{).*(lower:)?.*j.*n.*d.*i.*:.*".*?$
@dakloifarwa
Copy link

Do we need to extend the regex pattern for the next CVE? CVE-2021-45105
https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html
Any ideas?

@Link0Darck
Copy link

I debugged my jail.local and the problem is log4j

@JarmBlueOak
Copy link

JarmBlueOak commented Jan 19, 2022

Just collating in a single comment the changes I chose/had to make to get this working for me, mostly from the comments above.

# log4j jndi exploit CVE-2021-44228 filter
# Save this file as /etc/fail2ban/filter.d/log4j-jndi.conf
# then copy and uncomment the [log4j-jndi] section 
# to /etc/fail2ban/jail.local
#
# jay@gooby.org
# https://jay.gooby.org/2021/12/13/a-fail2ban-filter-for-the-log4j-cve-2021-44228
# https://gist.github.com/jaygooby/3502143639e09bb694e9c0f3c6203949
# Thanks to https://gist.github.com/kocour for a better regex
#
# Bad actors trying to exploit log4j - instaban them with
# this in your /etc/fail2ban/jail.local
#
# We're using maxretry = 1 
# because we know that they're a bad actor...
#
# [log4j-jndi]
# maxretry = 1
# filter = log4j-jndi
# action = your_actions_here
# enabled = true
# port = 80,443
# logpath = /path/to/your/*access.log

[Definition]
failregex = (?i)^<HOST> .* ".*(\$|%%24).*(\{|%%7B).*(lower:)?.*j.*n.*d.*i.*(:|%%3A).*".*?$
ignoreregex = 

I chose to use the regex suggested by @ursut. Thanks for sharing this @jaygooby!

@Link0Darck
Copy link

Link0Darck commented Jan 30, 2022

I found the problem there is no backend your jail says it doesn't find the logs so I point to the logs but need to put a backend

[log4j-jndi]
maxretry = 1
enabled = true
filter = log4j-jndi
port    = 80,443
logpath = /var/log/httpd/*access.log
backend  = %(syslog_backend)s
# Ban IP and report to AbuseIPDB for LOG4J
action = %(action_)s
         %(action_abuseipdb)s[abuseipdb_category="3,4,6,15,18,20,22"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment