On 30.3.2012, at 17.51, Andy Dills wrote:
On Fri, 30 Mar 2012, Timo Sirainen wrote:
On 30.3.2012, at 16.25, Andy Dills wrote:
However, when we have the front-end server do a static director proxy, the problem is that authentication failures are logged on the back-end server with a source IP of the proxy, and no authentication failure with the client IP address is logged on the proxy. So, fail2ban (which is a MUST these days, at least for us) will not be able to properly filter out the brute force attackers.
This is a simple fix (and something you should do anyway): Add the proxy's IP/netmask to login_trusted_networks setting in the remote server. For this to work with POP3 you need v2.1.2+.
Well, the problem isn't that my proxies would be banned; the problem is I have no way of seeing the remote IP of the failed authentication so I can ban the people who should be banned.
This is what the setting changes. The remote IP will be seen by the backends.
It seems obvious in retrospect, but for whatever reason the way the docs were written made me feel like having the full authentication happen on both the proxy and the backend wasn't possible.
Oh. This is a pretty common configuration. I guess the docs could be clarified.