You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
| import boto3 | |
| import re | |
| from urllib.request import urlopen | |
| import logging | |
| # https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/config.html#ConfigService.Client.put_configuration_recorder | |
| # Purpose: | |
| # Activate Custom AWS Record for AWS Config | |
| # Supported resource type: https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#supported-resources |
| version: "3" | |
| networks: | |
| kong-net: | |
| driver: bridge | |
| services: | |
| ####################################### | |
| # Postgres: The database used by Kong |
| #!/usr/bin/env bash | |
| name=fooAlert-$RANDOM | |
| url='http://localhost:9093/api/v1/alerts' | |
| bold=$(tput bold) | |
| normal=$(tput sgr0) | |
| generate_post_data() { | |
| cat <<EOF | |
| [{ |
| ################################################### | |
| ## | |
| ## Alertmanager YAML configuration for routing. | |
| ## | |
| ## Will route alerts with a code_owner label to the slack-code-owners receiver | |
| ## configured above, but will continue processing them to send to both a | |
| ## central Slack channel (slack-monitoring) and PagerDuty receivers | |
| ## (pd-warning and pd-critical) | |
| ## |
sudo useradd --system --shell /bin/false node_exporter
curl -fsSL https://github.com/prometheus/node_exporter/releases/download/v1.3.1/node_exporter-1.3.1.linux-amd64.tar.gz \
| sudo tar -zxvf - -C /usr/local/bin --strip-components=1 node_exporter-1.3.1.linux-amd64/node_exporter \
&& sudo chown node_exporter:node_exporter /usr/local/bin/node_exporter
| ## AWS | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/ami-id | |
| http://169.254.169.254/latest/meta-data/reservation-id | |
| http://169.254.169.254/latest/meta-data/hostname | |
| http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
| """ | |
| ## Install the Django reverse proxy package: `pip install django-revproxy` | |
| ## Enable auth.proxy authentication in Grafana like the following | |
| ``` | |
| [auth.proxy] | |
| enabled = true | |
| header_name = X-WEBAUTH-USER | |
| header_property = username |
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # | |
| # Copyright (C) 2017 Canonical Ltd. | |
| # | |
| # This program is free software: you can redistribute it and/or modify it under | |
| # the terms of the GNU General Public License as published by the Free | |
| # Software Foundation, version 3 of the License. | |
| # | |
| # This program is distributed in the hope that it will be useful, but WITHOUT |
| from flask import Flask, request, jsonify, json, abort | |
| from flask_cors import CORS, cross_origin | |
| import pandas as pd | |
| app = Flask(__name__) | |
| cors = CORS(app) | |
| app.config['CORS_HEADERS'] = 'Content-Type' |