On 30.3.2012, at 16.25, Andy Dills wrote: > However, when we have the front-end server do a static director proxy, the > problem is that authentication failures are logged on the back-end server > with a source IP of the proxy, and no authentication failure with the > client IP address is logged on the proxy. So, fail2ban (which is a MUST > these days, at least for us) will not be able to properly filter out the > brute force attackers.
This is a simple fix (and something you should do anyway): Add the proxy's IP/netmask to login_trusted_networks setting in the remote server. For this to work with POP3 you need v2.1.2+. > My solution was an alternative: I authenticate with our /bin/checkpassword > on the proxy, which authenticates the user and only at that point returns > the proxy=y nopassword=y switch to proxy the connection and forward the > authentication. Hm. Doesn't it do that even without nopassword=y?