--On fredag, januari 22, 2010 18.55.11 +0530 "Prof. P. Sriram" sriram@ae.iitm.ac.in wrote:
On Fri, 22 Jan 2010, Emil wrote:
I'm curious though as why you block them completely, instead of just have them put under some concurensy-limit.
The addresses are already under the concurrency limit as described in the original post. The netfilter kicks in when there is certain volume (requests per minute) EXCEEDING the concurrency limit. A human being exceeding the concurrency limit gets a HTTP 503 service unavailable message and will hopefully try again only after some time, when the concurrency limit is not being exceeded. Well, that is plan, anyway.
Still, the concurrency limit is within apache, right? What I meant was to put an (aditional) limit in netfilter instead of a "complete" block.
Should you only block new connections when the "ban" kicks in it wonät be too bad, and teh effect for the "visitor" should be very similar to a more gentle limit based approach. If however you put a block based only on the ip address existing connections will fail to complete, which obviously will cause them to have a valid reason to start again as soon a the ban is lifted.
Anyway, thanks for the tip on fail2ban, I may put that to use in other places!
Regards, Emil