[CentOS-mirror] Chinese IPs - Mirror Stats
archive at ftp.sunet.se
Fri Jan 22 12:23:37 UTC 2010
--On fredag, januari 22, 2010 17.41.17 +0530 "Prof. P. Sriram"
<sriram at ae.iitm.ac.in> wrote:
> On Fri, 22 Jan 2010, Karanbir Singh wrote:
>> On 01/22/2010 08:43 AM, Prof. P. Sriram wrote:
>> > We had a similar issue at the centos (and other stuff) mirror at
>> > ftp.iitm.ac.in some months ago. We have solved it effectively
>> > using per ip connection limit and fail2ban.
>> The problem with this is that you have efectively made your mirror
>> non usable for office's and orgaisations that only have 1 ip
>> address to the world. There are quite a few of them.
> I believe a correction might be in order - we have made it non-usable
> for those that have 1 ip address and want to download at a rate
> exceeding 5 active connections per minute. Do you know of any such
> organizations? Shouldn't they be enhancing their connectivity?
I'm not getting into the "right/or/wrong" aspects of this, as both
of you have valid points.
I'm curious though as why you block them completely, instead of just
have them put under some concurensy-limit.
As I understand it you are uinjecting rules to netfilter to have the
abusing addresses blocked, so I think it sould be simple enough to
put a limit on these addresses using the same injection mecanism. Or?
More information about the CentOS-mirror