Detect and block Log4j exploitation attempts with CrowdSec
If you work in Infosec, you had a very lousy weekend. And that’s because of the Log4j zero-day vulnerability (CVE-2021-44228) that was discovered. We had no choice but to roll up our sleeves to help our community before things got messier than they already were.
As a result, we have released a scenario that will help you detect and block exploitation attempts of the vulnerability. This new scenario can be directly downloaded from our Hub and installed in a blink of an eye. Check this quick video to see the plugin in action:
As CrowdSec is all about crowd power and given the size of our quickly growing network, we are collecting a lot of IP addresses attempting to exploit this vulnerability. You can check the list here. It is updated several times a day and, needless to say, you should block the ones that are “validated”.
Those IP addresses were curated by our consensus algorithm, meaning they had a lot of votes against them coming from our user network. The ones in “not enough data” state are highly suspicious but can still contain some false positives, up to you. The ones categorized as “benign” are IPs used by people that usually are on the good side of the fence, they probably scan to help and not to undermine.
Alternatively, you can use our replay mode to analyze your servers’ logs to check if an exploitation of Log4j was attempted at your place, by who and when, using the appropriate scenario and the below command line:
sudo cscli hub update sudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228 sudo systemctl reload crowdsec # sudo crowdsec --dsn "file://<log_file_path>" -no-api --type <log_type> sudo crowdsec --dsn "file:///var/log/nginx/access.log" -no-api --type nginx sudo cscli alerts list --scenario crowdsecurity/apache_log4j2_cve-2021-44228
We also published a real-time Log4j threat tracker, where you can visualize critical data such as most used Autonomous Systems (AS) by cybercriminals trying to exploit the vulnerability, the IP list of course with related country and number of threats, as reported by the CrowdSec community.
Let’s band together and bring our environments back to optimum security.