I guess I shouldn't have commented on this topic in here, which is only indirectly related to the article's topic. Anyway, here's a bit more detail: the approach that popa3d uses, and which I like so far (compared to possible alternatives), is based purely on connection rate per source address. In fact, its primary purpose was/is to improve availability of the service when under connection flood (whether intentional or not) from one or from a handful of source addresses. It is also reducing password probing as a nice side-effect. Default settings are: 500 sessions max, 50 per-source max (yes, NAT is considered here), a session is considered active for no less than 10 seconds after its startup. This allows for up to 5 new connections (and thus authentication attempts) per second per source IP address on average (but it also allows for spikes for up to 50 when not under flood from the address). Indeed, these settings may need to be tuned on larger/smaller servers.