[Dev] Blocking MTD's

[dev@trilug.org]

MTD = Microsoft Transmitted Diseases

I run my own webserver.  It's a pentium 90mhz with 48 megs of ram, and
1.5 gigs of disk.

I am quite tired of seeing a line like the following in my apache log
files:

66.20.67.210 - - [28/Feb/2002:05:44:58 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 224


Sure I can ignore those lines, or write a cron job to remove them from
the log file all together, but it's the principle involved; the waste
of bandwidth, firing up my disk every few minutes, etc. etc.

I can add the following command to never see packets from that IP
again:

iptables -A INPUT -s 66.20.67.210  -j DROP

( I don't care if whoever is at that address can't access my page,
chances are it's some script kiddie, or an infected server, and even if
it is someone I know, and I can just remove that line from
my firewall config to grant them access again. )

Right now I have a script that reads the log file, and automatically
DROP's the packets from whomever looks like an MTD spreader.  This is
little better than the problem though, as it fires up my harddisk every
few minutes.  (I'll be happy to share this perl script if anyone wants
to see it. ) Also, by the time I drop them, I've already got 10+ entries in
the log file from that IP, and I will only be blocking future packets
from that IP.  In other words... the annoyance has already happend. ( Is
that a word? )

Is it possible to have the firewall ( iptables v1.2.1a on RH7.2 )
inspect the contents of each packet for signatures of MTD's?

If not, is there a way to have apache log it's ouput to both a file and
a program?  That way, my perl script would only cause disk activity by
writing a new rule to the firewall.

Any questions or comments would be greatly appreciated.
My apologies if this does not fit the usual forum topic parameters.

Thank you for your time,

Nathan Harrington