I don't understand why 127.0.0.1 is the address that always gets added to the autoban list regardless of the user's public IP address.
This means that if a bot or a malicious user tries to access a legitimate user's account, it will also ban the real account owner if he/she tries to login.
I thought only the public IP address of the user (failed attempts) would be banned but it's always 127.0.0.1 which blocks anyone from accessing the account.
Is there a way to just block the failed attempt user's IP address or an octet range?
What am I not understanding?
To me, it does not make sense to block account access from all IP addresses.