Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to log HTTP request for all the IP which sends 700 and above request per minute.
Below rule do not work as the hit count is too high.
iptables -A INPUT -p tcp -s 0/0 --dport 8080 -m recent --set --name HTTP
iptables -A INPUT -p tcp -s 0/0 --dport 8080 -m recent --update --seconds 60 --hitcount 700 --rttl --name HTTP -j LOG
you should not be trying to log jboss request through iptables but it must be done through greping jboss server logs via shell script in cron job or which ever way you like.
why not? If he's after specific traits of the network traffic, and not necessarily the actual application usage then I'd say iptables is the perfect place to do this. Having said that though, the request was 700 requests, not 700 packets...
looking around, you can change the hitcount values by setting ipt_pkt_list_tot when you explictly load the module in modprobe.conf, but all talk about it I see is setting it at 5o or 60 when the default is 20, and 700 is a serious amount higher. Maybe you could reduce the numbers you're tracking? Say, 50 in 5 seconds instead?
You could reduce the number of applicable hits by only tracking it on the new connections also, but then any connections being reused would not be relevant.
Last edited by acid_kewpie; 02-06-2011 at 09:38 AM.
@ashwin_cse
If it was just to log I would use log4j and yes I am using it.
what I actually meant by -j LOG is, If satisfied by the output of log then turn -j LOG to -j DROP.
I would say 700 hundred request per minute would be the ideal solution.
Why?
eg: say 50 in 5 sec
In this case a give IP would send 50 request within 5 sec and for next 55 sec it might not send any request. In this case I dont want to log. Only if the total request for 60 sec reaches 700 then it should log.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.