[CentOS-mirror] Chinese IPs - Mirror Stats
Emil
archive at ftp.sunet.se
Fri Jan 22 14:33:50 UTC 2010
--On fredag, januari 22, 2010 18.55.11 +0530 "Prof. P. Sriram"
<sriram at ae.iitm.ac.in> wrote:
> On Fri, 22 Jan 2010, Emil wrote:
>> I'm curious though as why you block them completely, instead of just
>> have them put under some concurensy-limit.
>
> The addresses are already under the concurrency limit as described in
> the original post. The netfilter kicks in when there is certain
> volume (requests per minute) EXCEEDING the concurrency limit. A
> human being exceeding the concurrency limit gets a HTTP 503 service
> unavailable message and will hopefully try again only after some
> time, when the concurrency limit is not being exceeded. Well, that
> is plan, anyway.
Still, the concurrency limit is within apache, right? What I meant
was to put an (aditional) limit in netfilter instead of a "complete"
block.
Should you only block new connections when the "ban" kicks in it
wonät be too bad, and teh effect for the "visitor" should be very
similar to a more gentle limit based approach. If however you put
a block based only on the ip address existing connections will fail
to complete, which obviously will cause them to have a valid reason
to start again as soon a the ban is lifted.
Anyway, thanks for the tip on fail2ban, I may put that to use in
other places!
Regards,
Emil
More information about the CentOS-mirror
mailing list