How do you handle errors triggered by RCE CVE-2025-54068 bots? #9803
-
|
Maybe someone has some advice for me :) Ever since this CVE has been exploited actively (so December, great write up btw) we get quite a few bots trying it out. We patched it in July, of course, but they do trigger a e.g. We started to block whoever triggers these too often with fail2ban, so something like this: filter [Definition]
failregex = ^<HOST> .* "POST /livewire/update HTTP/[^"]+" (500)
ignoreregex =jail [livewire-500]
enabled = true
port = http,https
filter = livewire-500
backend = auto
logpath = /var/log/nginx/<some-log>.log
maxretry = 5
findtime = 60
bantime = 86400
action = %(action_mwl)sAny other suggestions? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Bumping this. We're also experiencing this and having issues with bugsnag being littered with these kinds of errors. Any suggestions? |
Beta Was this translation helpful? Give feedback.
-
|
@ghbob and @ventrec we've added some checks into v4 which covered this. I've just backported them to v3 yesterday, so they will be in the next release. See PR #10203. But I'd recommend upgrading to v4 when you can as it has a bunch of improvements, like this. |
Beta Was this translation helpful? Give feedback.
@ghbob and @ventrec we've added some checks into v4 which covered this. I've just backported them to v3 yesterday, so they will be in the next release. See PR #10203. But I'd recommend upgrading to v4 when you can as it has a bunch of improvements, like this.