I noticed a bit of an uptick in Log4j abuses.

Something like three years ago (based on my log4jexploit experiment container), someone discovered that a malformed (but not uncommon) log4j message string could allow JNDI to attempt to gain access to your Java application. At the time, there were a bunch of attempts in my logs, which I noted in the write-up. Those tapered off pretty quickly, as the Log4j peeps removed the ability to run that JNDI parser, so everyone updated their Log4j version, or fixed their log strings.

In the last few days, I've noticed a ton of them in my logs again. Thankfully, there's a IDS rule to block those IPs, and the attempts were indeed coming directly to my servers, and not through the CDN. I imagine that Cloudflare has blocks in place. I'm glad that my IDS is able to identify and stop them, but it's unfortunately a bit of whack-a-mole.

So I decided to dive in. I fixed my local iptables script to allow me to provide a whitelist of IPs and networks to allow to access my web servers, and I blocked the rest. I'll update my https://gitlab.com/jekewa/iptables project with the tweaks, after I clean them up for wholesale use.

I think I have another small hiccup with the whitelist. It seems the Uptimerobot.com monitor I use sometimes notes one of the web servers is down, even though they're all just fine. At the next poll, the failing server invariably returns. I haven't done much more than look as quickly as possible after getting the alert, but since I see no problems and it returns, I figure it might be something like missing one of their servers in my whitelist. The script downloads their list, as noted in their docs, but maybe there's one formatted poorly, or something like that.

I have also had the whitelist get wiped out, causing the server to go offline, but that only happened once. And I have some inconsistent results from another external tool, https://check-host.net/check-http, as all of their servers can hit my IP with HTTP, even though the firewall says it shouldn't be able to.

Still working on it, but just something to note.