Last active
February 2, 2022 12:04
-
-
Save jaygooby/3502143639e09bb694e9c0f3c6203949 to your computer and use it in GitHub Desktop.
fail2ban filter rule for the log4j CVE-2021-44228 exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # log4j jndi exploit CVE-2021-44228 filter | |
| # Save this file as /etc/fail2ban/filter.d/log4j-jndi.conf | |
| # then copy and uncomment the [log4j-jndi] section | |
| # to /etc/fail2ban/jail.local | |
| # | |
| # jay@gooby.org | |
| # https://jay.gooby.org/2021/12/13/a-fail2ban-filter-for-the-log4j-cve-2021-44228 | |
| # https://gist.github.com/jaygooby/3502143639e09bb694e9c0f3c6203949 | |
| # Thanks to https://gist.github.com/kocour for a better regex | |
| # | |
| # Bad actors trying to exploit log4j - instaban them with | |
| # this in your /etc/fail2ban/jail.local | |
| # | |
| # We're using maxretry = 1 | |
| # because we know that they're a bad actor... | |
| # | |
| # [log4j-jndi] | |
| # maxretry = 1 | |
| # enabled = true | |
| # port = 80,443 | |
| # logpath = /path/to/your/*access.log | |
| [Definition] | |
| failregex = (?i)^<HOST> .* ".*\$.*(7B|\{).*(lower:)?.*j.*n.*d.*i.*:.*".*?$ |
I found the problem there is no backend your jail says it doesn't find the logs so I point to the logs but need to put a backend
[log4j-jndi]
maxretry = 1
enabled = true
filter = log4j-jndi
port = 80,443
logpath = /var/log/httpd/*access.log
backend = %(syslog_backend)s
# Ban IP and report to AbuseIPDB for LOG4J
action = %(action_)s
%(action_abuseipdb)s[abuseipdb_category="3,4,6,15,18,20,22"]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just collating in a single comment the changes I chose/had to make to get this working for me, mostly from the comments above.
I chose to use the regex suggested by @ursut. Thanks for sharing this @jaygooby!