> You must test things like this thoroughly and monitor your logs extensively. > Finding this sweet spot took me a matter of a dedicated few hours and then a > few more days to make sure it was working 100%.
That's what I've just finished doing. :) The working config is (surprisingly) barely different from I was using: limit_req zone=lr_zone burst=2 nodelay; limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r/s; Although I do have burst=5 in a couple locations. I've been monitoring and I like what I see. Some real users get limited but always because they got *really* tap happy on their phone because they didn't want to wait for the page to load. Do you use limit_conn_zone and limit_conn too? > These rate rules below: > > limit_req_zone $ratelimited zone=flood:50m rate=90r/s > limit_conn_zone $ratelimited zone=addr:50m; I don't follow your config. Do you have rates behind the $ratelimited variable that you don't want to post? I wouldn't blame you. - Grant ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
