Dear Niklas Gustavsson: One question here, shouldn't the check for max connections per IP be
independent on the user ID? I'm thinking of this limit as a measure for inhibiting users trying to get around the max conns per user limit by using multiple user names. In the current shape, what would be the use case for the limit?
Here is my opinion: The user account level login limits for IP address is a more finegrained access control than the pure IP address login limits. Here is a scenario for this: The ftp welcomes the upload activities while limits the download activities. Two accounts: upload (unlimited login), and download (1 login) are created. In this case, the account level access control will do the job while the IP only solution cannot deal with it. Although the end user may bypass this limit by using mulitple user names, the precondition is that the system has multiple accounts, and the user knows their passwords. Normally this will not happen easily at all. Meanwhile, the global connection limit, together with the ip restrictor, can partially prevent the mal-behavior user's attack towards the server.
------ Best regards, Tony Zhou
