log4jail icon indicating copy to clipboard operation
log4jail copied to clipboard

Published 20 hours ago verified publisher icon mufeedvh

Metadata

A firewall reverse proxy for preventing Log4J (Log4Shell aka CVE-2021-44228) attacks.

log4jail 🛡️

A fast firewall reverse proxy with TLS (HTTPS) and swarm support for preventing Log4J (Log4Shell aka CVE-2021-44228) attacks.

📖 Table of Contents

  • Introduction
  • Installation
  • Quick Start
  • Proof of Concept
  • For Pentesters

ℹ️ Introduction

log4jail is a quick and dirty solution to block Log4Shell exploit attempts by acting as a reverse proxy scanning complete request body including all headers and request parameters for log4shell payloads.

💡 You can run multiple instances at once by mapping them by port and target in the configuration file.

The firewall follows the mitigation strategies from Google Cloud.

Installation

Download the binary for your OS from Releases OR Install with cargo:

$ cargo install --git https://github.com/mufeedvh/log4jail.git

Install Rust/Cargo

Build From Source

Prerequisites:

  • Git
  • Rust
  • Cargo (Automatically installed when installing Rust)
  • A C linker (Only for Linux, generally comes pre-installed)
$ git clone https://github.com/mufeedvh/log4jail.git
$ cd log4jail/
$ cargo build --release

The first command clones this repository into your local machine and the last two commands enters the directory and builds the source in release mode.

Quick Start

Just run the command and there will be a boilerplate configuration file in the same working directory called log4jail.json.

$ log4jail

The configuration file looks like this:

{
  "host": "127.0.0.1",
  "enable_https": false,
  "tls_cert_path": "cert.pem",
  "tls_key_path": "key.rsa",
  "reject_response_status": 403,
  "reject_response_body": "This request has been blocked.",
  "proxy_mapping": {
    "1337": "http://127.0.0.1:8080/",
    "6969": "http://127.0.0.1:9000/"
  }
}

Configure the values for your environment and run the command again to spin up the proxy!

Proof of Concept

log4jail blocks all attack vectors from log4j-scan with WAF Bypass mode enabled:

$ python3 log4j-scan.py -u http://127.0.0.1:1337/ --run-all-tests --waf-bypass

Screenshot from 2021-12-15 01-34-30

For Pentesters

If you have found any working Log4Shell payloads that can bypass this firewall, please open an issue.

Just run log4jail on any port and include the payload in the HTTP request for fuzz testing.

Metadata

24
Stars
3
Forks
Watchers

Owner

verified publisher icon mufeedvh

Metadata

A firewall reverse proxy for preventing Log4J (Log4Shell aka CVE-2021-44228) attacks.

Back