On 30.3.2012, at 17.51, Andy Dills wrote: > On Fri, 30 Mar 2012, Timo Sirainen wrote: > >> On 30.3.2012, at 16.25, Andy Dills wrote: >> >>> However, when we have the front-end server do a static director proxy, the >>> problem is that authentication failures are logged on the back-end server >>> with a source IP of the proxy, and no authentication failure with the >>> client IP address is logged on the proxy. So, fail2ban (which is a MUST >>> these days, at least for us) will not be able to properly filter out the >>> brute force attackers. >> >> This is a simple fix (and something you should do anyway): Add the >> proxy's IP/netmask to login_trusted_networks setting in the remote >> server. For this to work with POP3 you need v2.1.2+. > > Well, the problem isn't that my proxies would be banned; the problem is I > have no way of seeing the remote IP of the failed authentication so I can > ban the people who should be banned.
This is what the setting changes. The remote IP will be seen by the backends. > It seems obvious in retrospect, but for whatever reason the way the docs > were written made me feel like having the full authentication happen on > both the proxy and the backend wasn't possible. Oh. This is a pretty common configuration. I guess the docs could be clarified.
