Skip to content

Instantly share code, notes, and snippets.

@jaygooby

jaygooby/log4j-jndi.conf

Last active February 2, 2022 12:04
Show Gist options
  • Save jaygooby/3502143639e09bb694e9c0f3c6203949 to your computer and use it in GitHub Desktop.
Save jaygooby/3502143639e09bb694e9c0f3c6203949 to your computer and use it in GitHub Desktop.
Download ZIP
fail2ban filter rule for the log4j CVE-2021-44228 exploit
Raw
log4j-jndi.conf
# log4j jndi exploit CVE-2021-44228 filter
# Save this file as /etc/fail2ban/filter.d/log4j-jndi.conf
# then copy and uncomment the [log4j-jndi] section
# to /etc/fail2ban/jail.local
#
# [email protected]
# https://jay.gooby.org/2021/12/13/a-fail2ban-filter-for-the-log4j-cve-2021-44228
# https://gist.github.com/jaygooby/3502143639e09bb694e9c0f3c6203949
# Thanks to https://gist.github.com/kocour for a better regex
#
# Bad actors trying to exploit log4j - instaban them with
# this in your /etc/fail2ban/jail.local
#
# We're using maxretry = 1
# because we know that they're a bad actor...
#
# [log4j-jndi]
# maxretry = 1
# enabled = true
# port = 80,443
# logpath = /path/to/your/*access.log
[Definition]
failregex = (?i)^<HOST> .* ".*\$.*(7B|\{).*(lower:)?.*j.*n.*d.*i.*:.*".*?$
@Link0Darck
Copy link

Link0Darck commented Jan 30, 2022
edited
Loading

I found the problem there is no backend your jail says it doesn't find the logs so I point to the logs but need to put a backend

[log4j-jndi]
maxretry = 1
enabled = true
filter = log4j-jndi
port    = 80,443
logpath = /var/log/httpd/*access.log
backend  = %(syslog_backend)s
# Ban IP and report to AbuseIPDB for LOG4J
action = %(action_)s
         %(action_abuseipdb)s[abuseipdb_category="3,4,6,15,18,20,22"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment