Block Log4j Outbound Connections

TL;DR

CVE-2021-44228 (Log4Shell) allows attackers to execute code on your servers. Blocking outbound connections can prevent compromised systems from communicating with attacker-controlled infrastructure, limiting damage. This guide shows you how.

Blocking Outbound Connections

1. Understand the Risk: Log4j vulnerabilities allow remote code execution. Even if you patch, blocking outbound traffic adds a layer of defence against potentially compromised systems attempting to connect to malicious servers.
2. Identify Potential Outbound Traffic: Attackers often use DNS and standard HTTP/HTTPS ports (80, 443) for command-and-control. Look for unusual connections from your servers.
   • Use network monitoring tools to identify outbound traffic patterns.
   • Check firewall logs for suspicious destinations.
3. Firewall Rules (iptables – Linux): Use iptables to block outbound connections to known malicious IPs or ranges.

   sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP

   sudo iptables -A OUTPUT -p tcp --dport 443 -j DROP

   sudo iptables -A OUTPUT -p udp --dport 53 -j DROP

   Important: These rules block *all* outbound traffic on those ports. Refine them to only block suspicious destinations.

4. Firewall Rules (ufw – Linux): If you use UFW, the commands are simpler.

   sudo ufw deny 80

   sudo ufw deny 443

   sudo ufw deny 53

   Again, refine these rules to avoid blocking legitimate traffic.

5. Windows Firewall: Use the Windows Defender Firewall with Advanced Security.
   • Open ‘Windows Defender Firewall with Advanced Security’.
   • Create a new Outbound Rule.
   • Select ‘Port’ and specify TCP ports 80, 443, and UDP port 53.
   • Choose ‘Block the connection’.
   • Apply the rule to appropriate profiles (Domain, Private, Public).
6. Cloud Provider Firewalls: If you’re using AWS, Azure, or Google Cloud, use their respective firewall services (Security Groups, Network Security Groups, Firewall Rules).
   • AWS Security Groups: Modify inbound and outbound rules for your EC2 instances.
   • Azure Network Security Groups: Create rules to block traffic to specific destinations.
   • Google Cloud Firewall Rules: Define rules based on IP ranges, ports, and protocols.
7. DNS Filtering: Consider using a DNS filtering service that blocks known malicious domains.
   • Services like Quad9 or OpenDNS can help prevent connections to attacker infrastructure.
8. Regularly Update Blocklists: Malicious IPs and domains change frequently. Keep your blocklists updated from reputable sources.
   • Automate the update process if possible.
9. Monitor Firewall Logs: Continuously monitor firewall logs for blocked connections to identify potential compromises or false positives.
10. Test Your Rules: After implementing rules, test connectivity to ensure legitimate traffic isn’t affected. Use tools like ping or traceroute.

Blocking outbound connections is a temporary mitigation measure. Patching Log4j and addressing the root cause of the vulnerability are crucial for long-term security.