Retrieve malicious IP addresses from Apache logs and block them with iptables

Gabriel Talavera asked:

Im trying to keep away some attackers that try to exploit XSS vulnerabilities from my website, I have found that most of the malicious attempts start with a classic “alert(document.cookie);” test. The site is not vulnerable to XSS but I want to block the offending IP addresses before they found a real vulnerability, also, to keep the logs clean.

My first thought is to have a script constantly checking in the Apache logs all IP addresses that start with that probe and send those addresses to an iptables drop rule. With something like this:

cat /var/log/httpd/-access_log | grep “alert(document.cookie);” | awk ‘{print $1}’ | uniq

Why would be an effective way to send the output of that command to iptables?

Thanks in advance for any input!

My answer:


You’ll be happy to know that you don’t have to write a program; fail2ban already does this.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.