[CentOS-mirror] Chinese IPs - Mirror Stats

Emil archive at ftp.sunet.se
Fri Jan 22 14:33:50 UTC 2010



--On fredag, januari 22, 2010 18.55.11 +0530 "Prof. P. Sriram" 
<sriram at ae.iitm.ac.in> wrote:

> On Fri, 22 Jan 2010, Emil wrote:
>> I'm curious though as why you block them completely, instead of just
>> have them put under some concurensy-limit.
>
> The addresses are already under the concurrency limit as described in
> the  original post. The netfilter kicks in when there is certain
> volume  (requests per minute) EXCEEDING the concurrency limit. A
> human being  exceeding the concurrency limit gets a HTTP 503 service
> unavailable  message and will hopefully try again only after some
> time, when the  concurrency limit is not being exceeded. Well, that
> is plan, anyway.

Still, the concurrency limit is within apache, right?  What I meant
was to put an (aditional) limit in netfilter instead of a "complete"
block.

Should you only block new connections when the "ban" kicks in it
wonät be too bad, and teh effect for the "visitor" should be very
similar to a more gentle limit based approach.  If however you put
a block based only on the ip address existing connections will fail
to complete, which obviously will cause them to have a valid reason
to start again as soon a the ban is lifted.

Anyway, thanks for the tip on fail2ban, I may put that to use in
other places!

Regards,
        Emil



More information about the CentOS-mirror mailing list