关联漏洞
标题:Apache Log4j 代码问题漏洞 (CVE-2021-44228)Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
Description
fail2ban filter that catches attacks againts log4j CVE-2021-44228
介绍
# fail2ban-log4j
fail2ban filter that catches attacks against log4j CVE-2021-44228
## Installation
Copy this file to your fail2ban filter.d directory, which is usually something like
/etc/fail2ban/filter.d
or similar.
Add an apache-jndi section to your jail.local or jail.conf:
```
[apache-jndi]
enabled = true
filter = apache-jndi
port = http,https
logpath = /var/log/apache2/access.log
bantime = 86400
maxretry = 1
```
In case you need to monitor multiple sites, wildcards may help:
```
[apache-jndi]
enabled = true
filter = apache-jndi
port = http,https
logpath = /var/www/*/logs/access.log
bantime = 86400
maxretry = 1
```
Logpath for LAMP servers managed by ispConfig:
```
logpath = /var/www/clients/client*/web*/log/access.log
```
These are examples assuming
- A single try reveals that they're a bad guy
- You only want to block further http(s) traffic. Of course, you might as well block any other ports, too.
### Effectiveness
As of now, this regex catches jndi:ldap requests that contain "jndi:ldap" and one obfuscated version using "lower".
I'll add more as soon as I find them, but feel free to submit suggestions.
#### Does it work?
Yes and no. From a technical point of view, it does what it is supposed to to. It detects known formats of log4shell attempts and should at least keep those who don't put too much effort in their scans blocked from your machines. Unfortunately, the possibilities of masking / obfuscating these requests are unlimited, so keeping up with all possible RegEx variants might appear like a cat-and-mouse game.
#### Like this?
If this saved you some time, why not [Buy me a coffee](https://www.buymeacoffee.com/atnetws)? ;)
文件快照
[4.0K] /data/pocs/1dec0ec645b869cc0701d50e55c727b80a7ce7e5
├── [ 465] apache-jndi.conf
├── [ 654] Changelog
├── [ 266] fail2ban-sample.conf
├── [ 202] iplist.txt
├── [ 34K] LICENSE
└── [1.7K] README.md
0 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →