Im trying to keep away some attackers that try to exploit XSS vulnerabilities from my website, I have found that most of the malicious attempts start with a classic "alert(document.cookie);\" test. The site is not vulnerable to XSS but I want to block the offending IP addresses before they found a real vulnerability, also, to keep the logs clean.
My first thought is to have a script constantly checking in the Apache logs all IP addresses that start with that probe and send those addresses to an iptables drop rule. With something like this:
cat /var/log/httpd/-access_log | grep "alert(document.cookie);" | awk '{print $1}' | uniq
Why would be an effective way to send the output of that command to iptables?
Thanks in advance for any input!
Best Answer
You'll be happy to know that you don't have to write a program; fail2ban already does this.