On 8/18/2011 2:15 PM, Rudi Ahlers wrote: > On Thu, Aug 18, 2011 at 9:09 PM, Always Learning<centos at u61.u22.net> wrote: >> >> On Thu, 2011-08-18 at 21:01 +0200, Rudi Ahlers wrote: >> >>> I need to automatically block any user who abuses bandwidth, either >>> incoming or outgoing. I should be able to set the limits, in either >>> rate/s or usage/s: 1Mb/s or 10GB/h, for example. >> >> First question is: >> >> (a) how can you get the IP address ? > > I don't fully understand your question? > How do you get any IP address from any machine that connects to a > server on the internet? netstat shows the IP's, You said 'user' which may or may not map to a consistent, single, IP address. > /var/log/http/access.log shows the IP's and I'm sure it's listed in > other places as well. Are these web browser clients, locally attached PCs, or what? > We currently use ntop to monitor the server's usage, but there's no > way to automatically block an abusive IP. What's 'abusive'? If they are using a web app, let the app monitor the connection of a logged in user and handle them appropriately. > > Ideally I would like to get a dedicated firewall, or dedicated Linux / > UNIX firewall appliance for this purpose as it needs to monitor and > protect a whole bunch of servers A separate box won't know what is going on. Suppose you have a remote mail server relaying in or out for a large number of users. The intermediate box will see a lot of smtp traffic to/from one IP, but it will correspond to a lot of users. Likewise for web users behind a company proxy. -- Les Mikesell lesmikesell at gmail.com