I've put together some notes on something I've been working on recently, detecting multiple login attempts to web servers that are behind load balancers and would be interested in any thoughts, comments, or pointing out where it could be done better.
The article is at:
http://centos.tips/fail2ban-behind-a...load-balancer/