Im trying to keep away some attackers that try to exploit XSS vulnerabilities from my website, I have found that most of the malicious attempts start with a classic "alert(document.cookie);\" test. The site is not vulnerable to XSS but I want to block the offending IP addresses before they found a real vulnerability, also, to keep the logs clean.
My first thought is to have a script constantly checking in the Apache logs all IP addresses that start with that probe and send those addresses to an iptables drop rule. With something like this:
cat /var/log/httpd/-access_log | grep "alert(document.cookie);" | awk '{print $1}' | uniq
Why would be an effective way to send the output of that command to iptables?
Thanks in advance for any input!