--On fredag, januari 22, 2010 17.41.17 +0530 "Prof. P. Sriram" <sriram at ae.iitm.ac.in> wrote: > On Fri, 22 Jan 2010, Karanbir Singh wrote: >> On 01/22/2010 08:43 AM, Prof. P. Sriram wrote: >> > We had a similar issue at the centos (and other stuff) mirror at >> > ftp.iitm.ac.in some months ago. We have solved it effectively >> > using per ip connection limit and fail2ban. >> >> The problem with this is that you have efectively made your mirror >> non usable for office's and orgaisations that only have 1 ip >> address to the world. There are quite a few of them. > > I believe a correction might be in order - we have made it non-usable > for those that have 1 ip address and want to download at a rate > exceeding 5 active connections per minute. Do you know of any such > organizations? Shouldn't they be enhancing their connectivity? I'm not getting into the "right/or/wrong" aspects of this, as both of you have valid points. I'm curious though as why you block them completely, instead of just have them put under some concurensy-limit. As I understand it you are uinjecting rules to netfilter to have the abusing addresses blocked, so I think it sould be simple enough to put a limit on these addresses using the same injection mecanism. Or? Regards, Emil