Log4Shell is a zero day vulnerability affecting Java servers and is actively being exploited in the wild. Java is the backend language for a lot of enterprise servers as well as Fortune 1000 websites. If you’re the administrator of such a website, you know that the problem probably won’t get fixed right away because you’ll have a lot of code to audit and/or with everyone working from home, it might prove to be difficult to push new changes out to a live website as fast as you’d like.
To mitigate the problem to give yourself some breathing room and time to fix the problem, there’s a couple of solutions. I will provide the solutions using both iptables (available on most modern Linux distributions) and RouterOS (the operating system used by all MikroTik products). I’ll leave the task of fixing the base problem to your software developers and devops.
The first solution is to block outbound LDAP calls (lightweight directory access protocol). By default LDAP uses port 389 on either TCP or UDP transport protocol.
Using iptables, we could block it as follows:
-A FORWARD -p tcp --dport 389 -j REJECT --reject-with icmp-host-prohibited -A FORWARD -p udp --dport 389 -j REJECT --reject-with icmp-host-prohibited
Using RouterOS, we could block it as follows:
/ip firewall filter add chain=forward protocol=tcp port=389 action=reject reject-with=icmp-host-prohibited /ip firewall filter add chain=forward protocol=udp port=389 action=reject reject-with=icmp-host-prohibited
The second solution is to block LDAP in general, in case someone’s chosen to use the non-default port. The common envelope for an LDAP message is the keyword ‘LDAPMessage’, so we can scan for that at layer 7:
Using iptables: -A FORWARD -m string --alog bm --string "LDAPMessage" -j REJECT --reject-with icmp-host-prohibited Using RouterOS: /ip firewall filter add chain=forward protocol=tcp content="LDAPMessage" action=reject reject-with=icmp-host-prohibited