How to protect your website from Log4j

clock • 15 min read
Log4j is a vulnerability in Apache, which powers the http engine behind almost half of the world's websites
Image:

Log4j is a vulnerability in Apache, which powers the http engine behind almost half of the world's websites

Follow these six rules to insure yourself against becoming the low-hanging fruit

Log4Shell is a critical vulnerability in Log4j, a popular Java logging framework used by Apache - the most widely used HTTP engine for the web. As a consequence, it has impacted millions of servers and therefore websites around the globe.

The zero-day vulnerability allows attackers to execute code on a server or leak sensitive information. By executing code, the attacker can gain root access to the server and all your website files and code.

Christopher Baker, director of a leading web design agency, advises the following:

"With regards to website security… Log4j is a vulnerability that exists in Apache that powers the http engine behind almost 50 per cent of websites on the internet.

"There are patches already available to protect against this vulnerability. If you have a website and haven't already heard from your web host regarding a fix, its extremely important that you contact them to ensure your server software is patched. If you have un-managed hosting you should contact a server technician or website developer to apply the patch for you.

"We've already seen a lot of traffic from bots on our hosting network attempting to exploit this vulnerability since it was announced. It is important that you take action."

Who's behind automated bot attacks against Log4j?

Scammers, hackers, and bots. Often in an attempt to hijack your website for some sort of personal gain.

Most websites tend to be information based, so where no sensitive information can be obtained a hack usually consists of redirecting the website (or injecting redirect code into the website). This can either send users to affiliate links to gain the hacker commission, or can link to another website in an attempt to boost that website's SEO rankings (Black Hat SEO).

Sometimes a hack can be in the form of ransomware, ie. "Send me xx bitcoins to get your site back online", but this is much rarer.

In most cases bots are the culprit. When an exploit becomes well known, or is publically reported on a site like CVE Details, it doesn't take long for hackers to create a bot that 'probes' for known vulnerabilities. If the exploit is not complex to execute (like Log4j) then the bot can actually execute the code, sequence, url etc. needed to perform the exploit.

Here is an example log of a bot performing a url-based exploit:

Blocked for Directory Traversal - wp-config.php in query string: download = ../wp-config.php
Blocked for Directory Traversal - wp-config.php in query string: ebookdownloadurl = ../../../wp-config.php
Blocked for Directory Traversal - wp-config.php in query string: download = ../../../wp-config.php
Blocked for Directory Traversal - wp-config.php in query string: file = ../../../../wp-config.php
Blocked for Directory Traversal - wp-config.php in query string: file = ../../wp-config.php
Blocked for Directory Traversal - wp-config.php in query string: path = ../../../wp-config.php
Blocked for Directory Traversal - wp-config.php in query string: download_file = ../../../../../wp-config.php
Blocked for Directory Traversal - wp-config.php in query string: filename = ../../../wp-config.php
Blocked for Directory Traversal - wp-config.php in query string: file = ../../../wp-config.php

This is a different hack attempt, not Log4j, but you can see the bot cycling different known url exploits in order to download a WordPress config file, which will contain database login details.

How to protect your website from vulnerabilities

1. Keep your server and website software up to date

When an exploit is exposed, a patch to fix it will in most cases follow shortly after - or even already be available. Keeping your hosting and website software up to date will ensure you are patched against the known vulnerabilities these bots and hackers aim to exploit.

If you host your own website, updates to server software such as Apache can be performed automatically using cron jobs to check for updates. If you use a hosting UI like Plesk or cPanel, these should automatically check for updates and prompt you to apply via a system restart where necessary.

If your website is on a shared or managed hosting service it's important to review your host's security policy to understand their procedure on ensuring the server software is kept up to date. If you're unsure, you should contact them directly to ask.

Application level software such as a CMS, eg. WordPress, can be something of a grey area. Unless you have agreed otherwise with a provider, developer, host etc. you should assume that if you have a website that is built on a framework, or uses a content management system, then it is your responsibility to ensure this software is kept up to date.

Platforms like WordPress are straightforward to update, assuming they are well structured/developed; just log in and update the CMS core and any subsequent plugins. Other systems can be more complex, and require you to involve a developer.

If you have a website that you know uses a CMS or framework that hasn't been updated in some time you should take action to update it, and to ensure it is regularly maintained. Although Log4j is not known to affect the application level, there are lots of other exploits that are likely to.

2. Use a DNS protection or WAF like Cloudflare

Cloudflare is an excellent tool to improve your website's speed and security. It can provide a layer of security at DNS level, monitoring and protecting your site in real time before the traffic reaches your web server. This means less strain on your web server as well as better all round security.

In the case of vulnerabilities such as Log4j, Cloudflare has a 'bot fight mode' that can detect and prevent bots from probing your web server for the vulnerability. In addition, it can provide a web application firewall (WAF) with a managed and self managed set of rules to detect malicious visitors or attacks and block them before they reach your server.

3. Consider security like antivirus (ClamAV) and ModSecurity

Should an attack or potential exploit make it to your server, there are some tools to provide an additional layer of defence.

Mod security is an open source Apache WAF that can operate with a rule set such as owasp, to prevent exploits and attacks as they are run in real time. This tool, although very effective, can produce a lot of false positives, so it's important to test thoroughly before putting it in place in a live environment.

A last line of defence is an antivirus like ClamAV. This can be set on a schedule to systematically scan your server files for malicious code. The problem is that once the malicious code is on your server then you have already been exploited, and the clean up and subsequent protection becomes much more difficult and complex. Often the best strategy is migration and restoring from a clean backup, if available.

4. Use application level protection like Wordfence

If you are not responsible for your hosting management but are responsible for the management of your website and its content management system, then you want to consider application level security. This comes in a few forms, but in the case of leading CMS like WordPress or Drupal there are plenty of modules or plugins that can help secure your site.

My WordPress recommendations include:

  • Wordfence - Firewall, 2FA and general all round security, I highly recommend installing this if you are running a WordPress site
  • WPS Hide Login - concealing the default login url for any CMS is a simple yet highly recommended way to help prevent various brute force attacks
  • Disable Comments - a plugin that prevents comments and therefore comment spam. If you don't use comments then I highly recommend you install this to disable them altogether

5. Consider investing in custom development

Not necessarily related to Log4j, but custom development of a website or web application often means enhanced security when it comes to bots and known exploits.

Most exploits, such as Log4j, come from open source software or frameworks. When known vulnerabilities arise, they are quickly followed by many bots and hackers looking to take advantage.

Custom development distances your website from these bots and hackers probing for known vulnerabilities. Although it's sensible to still block these malicious bots to save on bandwidth, they will not cause any harm to your website.

6. Put a security policy in place

You should take time to create a security policy that puts in place rules and procedures to ensure that you regularly check and monitor your software, servers, systems etc. to keep them secured from vulnerabilities like Log4j.

You should include aspects such as:

  • Password and credential guidelines - password strength, how often they are cycled, two-factor authentication usage, etc
  • Access controls - who has access to what, as well as following the principle of least privilege
  • Incident reporting procedures - if there is a security issue, how and to whom it is reported
  • Updates and patches policy - how often, for what, etc
  • Backup procedure - what is being backed up and how often, retention policy

Log4Shell is a critical vulnerability in Log4j, which is a popular Java logging framework

used by Apache - the most widely used HTTP engine for the web. As a consequence, there are millions of servers and therefore websites around the globe that have been impacted.


The zero-day vulnerability allows attackers to execute code on a server or leak sensitive information. By executing code, the attacker can gain root access to the server and all your website files & code.


Christopher Baker, director of aleading web design agency, advises the following:


"With regards to website security… Log4j is a vulnerability that exists in Apache that powers the http engine behind almost 50% of websites on the internet.

...There are patches already available to protect against this vulnerability, if you have a website and haven't already heard from your web host regarding a fix, its extremely important that you contact them to ensure your server software is patched. If you have un-managed hosting you should contact a server technician or website developer to apply the patch for you.


We've already seen a lot of traffic from bots on our hosting network attempting to exploit this vulnerability since it was announced. It is important you take action..."


Who's behind automated bot attacks against Log4j?

Scammers, hackers, and bots. Often in an attempt to hijack your website for some sort of personal gain.


Most websites tend to be information based, so where no sensitive information can be obtained a hack usually consists of redirecting the website (or injecting redirect code into the website). This can either send users to affiliate links in order to gain the hacker commission, or can link to another website in an attempt to boost that website's SEO rankings (Black Hat SEOhttps://www.wordstream.com/black-hat-seo).


Sometimes a hack can be in the form of ransomware, ie. "send me xx bitcoins to get your site back online", but this is much rarer.


In most cases bots are the culprit. When an exploit becomes well known, or is publically reported on a site likehttps://www.cvedetails.com/it doesn't take long for hackers to create a bot that "probes" for the known vulnerabilities. If the exploit is not complex to execute (such is the case with Log4j) then the bot can actually execute the code, sequence, url etc. needed to perform the exploit.


An example log of a bot performing a url based exploit:


Blocked for Directory Traversal - wp-config.php in query string: download = ../wp-config.php

Blocked for Directory Traversal - wp-config.php in query string: ebookdownloadurl = ../../../wp-config.php

Blocked for Directory Traversal - wp-config.php in query string: download = ../../../wp-config.php

Blocked for Directory Traversal - wp-config.php in query string: file = ../../../../wp-config.php

Blocked for Directory Traversal - wp-config.php in query string: file = ../../wp-config.php

Blocked for Directory Traversal - wp-config.php in query string: path = ../../../wp-config.php

Blocked for Directory Traversal - wp-config.php in query string: download_file = ../../../../../wp-config.php

Blocked for Directory Traversal - wp-config.php in query string: filename = ../../../wp-config.php

Blocked for Directory Traversal - wp-config.php in query string: file = ../../../wp-config.php


You can see the bot cycling different known url exploits in order to download a WordPress config file, which will contain database login details (this is a different hack attempt, not Log4j).


How to protect your website from vulnerabilities


  1. Keep your server and website software up to date.


When an exploit is exposed, a patch to fix that exploit will in most cases follow shortly after - or even already be available. Keeping your hosting and website software up to date will ensure that you are patched against known vulnerabilities that these bots and hackers aim to exploit.


If you host your own website, updates to server software such as Apache can be performed automatically using cron jobs to check for updates. If you use a hosting UI like Plesk or cPanel, then these should automatically check for updates for you and prompt you to apply via a system restart where necessary.


If your website is on a shared or managed hosting service it's important to review the security policy put in place by your host to understand their procedure on ensuring the server software is kept up to date. If you're unsure, you should contact them directly to ask.


Application level software such as a CMS, eg. WordPress can be somewhat of a grey area. Unless you have agreed otherwise with a provider, developer, host etc. you should assume that if you have a website that is built on a framework, or uses a content management system, then it is your responsibility to ensure that this software is kept up to date.


Platforms like WordPress are straightforward to update - assuming they are well structured/developed - just login and update the CMS core and any subsequent plugins. Other CMS can be more complex, and require you to involve a developer.


If you have a website that you know uses a CMS or framework that hasn't been updated in some time you should take action to update it, and to ensure it is regularly maintained. Although Log4j is not known to affect application level, there are lots of other exploits that are likely to.



  1. Use a DNS Protection or WAF like Cloudflare.


Cloudflare is an excellent tool to improve your website's speed and security. It can provide a layer of security at DNS level, monitoring and protecting your site in real time before the traffic reaches your web server. This means less strain on your web server as well as better all round security.


In the case of vulnerabilities such as Log4j, Cloudflare has a "bot fight mode" that can detect and prevent bots from probing your web server for the vulnerability.


In addition it can provide a WAF (Web Application Firewall) with a managed and self managed set of rules to detect malicious visitors or attacks and block them before they reach your server.



  1. Consider security like Antivirus (clamav) and Mod Security.


Should an attack or potential exploit make it to your server, there are some tools to provide an additional layer of defence.


Mod security is an open source Apache WAF that can operate with a rule set such as owasp, to prevent exploits and attacks as they are run in real time. This tool, although very effective, can produce a lot of false positives - so it's important to test thoroughly before putting it in place in a live environment.


A last line of defence is an antivirus like ClamAv. This can be set on a schedule to systematically scan your server files for malicious code. The problem is that once the malicious code is on your server then you have already been exploited, and the clean up & subsequent protection becomes a lot more difficult and complex. Often the best strategy is migration and restoring from a clean backup if available.



  1. Use application level protection like Wordfence.


If you are not responsible for your hosting management but are responsible for the management of your website and its content management system, then you want to consider application level security. This comes in a few forms, but in the case of leading CMS like WordPress or Drupal there are plenty of modules or plugins that can help secure your site.


Our WordPress recommendations include: 


Wordfence - Firewall, 2FA and general all round security, we highly recommend installing if you are running a WordPress site.


WPS Hide Login - concealing the default login url for any CMS is a simple yet highly recommended way to help prevent various brute force attacks.


Disable Comments - a plugin that prevents comments and therefore comment spam. If you don't use comments then I highly recommend you install to disable altogether.



  1. Consider investing in custom development.


Not necessarily related to Log4j, but custom development of a website or web application often means enhanced security when it comes to bots and known exploits.


Most exploits such as Lo4j come from open source software or frameworks. When known vulnerabilities arise, they are quickly followed by many bots and hackers looking to take advantage.


Custom development distances your website from these bots and hackers probing for known vulnerabilities. Although it's sensible to still block these malicious bots to save on bandwidth, they will not cause any malicious harm to your website.



  1. Put in place a security policy.


You should take time to create a security policy that puts in place rules and procedures to ensure that you regularly check and monitor your software, servers, systems etc. to keep them secured from vulnerabilities like Log4j.


You should include aspects such as:


  • Password and Credential Guidelines - password strength, how often they are cycled, 2FA usage etc.

  • Access Controls - who has access to what, as well as following the principle of least privilege.

  • Incident Reporting Procedures - if there is a security issue how and to whom it is reported.

  • Updates and Patches policy - how often, for what, etc.

  • Backup procedure - what is being backed up and how often, retention policy.

More on Mobile Phones

Most areas of financial services have been quick to adapt to the consumerisation of IT - but not motor insurance

The final frontier of financial consumerisation

The consumerisation of IT has completely changed almost every element of financial services, bar one: motor insurance. But why - and, more importantly, what kind of service are drivers likely to see when this sector finally follows in the footsteps of...

Callum Rimmer
clock 16 December 2021 • 5 min read
TikTok is the world's most downloaded app

New data unveils most popular apps of 2021

Research from Gravitee.io reveals who's winning the war for your smartphone

Otto Sumner
clock 01 December 2021 • 1 min read
Apple announces Self Service Repair programme to let customer fix devices themselves

Apple announces Self Service Repair programme to let customer fix iPhones themselves

'We never thought we'd see the day' says iFixit

clock 18 November 2021 • 2 min read