--On fredag, januari 22, 2010 18.55.11 +0530 "Prof. P. Sriram" <sriram at ae.iitm.ac.in> wrote: > On Fri, 22 Jan 2010, Emil wrote: >> I'm curious though as why you block them completely, instead of just >> have them put under some concurensy-limit. > > The addresses are already under the concurrency limit as described in > the original post. The netfilter kicks in when there is certain > volume (requests per minute) EXCEEDING the concurrency limit. A > human being exceeding the concurrency limit gets a HTTP 503 service > unavailable message and will hopefully try again only after some > time, when the concurrency limit is not being exceeded. Well, that > is plan, anyway. Still, the concurrency limit is within apache, right? What I meant was to put an (aditional) limit in netfilter instead of a "complete" block. Should you only block new connections when the "ban" kicks in it wonät be too bad, and teh effect for the "visitor" should be very similar to a more gentle limit based approach. If however you put a block based only on the ip address existing connections will fail to complete, which obviously will cause them to have a valid reason to start again as soon a the ban is lifted. Anyway, thanks for the tip on fail2ban, I may put that to use in other places! Regards, Emil