The wordpress blog software is a popular target for attacks. I normally have fail2ban running with some rules to detect bad things on sites behind haproxy but due to some other work on the firewall rules I had fail2ban temporarily disabled. Someone/something at IP address 51.103.24.29 (A Microsoft-managed IPv4 address) noticed this and fired off a brute force script which ended up making 521525 attempts at logging in, none of which worked. It was stopped when I enabled fail2ban again. The first indication of interesting amounts of things happening was that the disc i/o led of the server was blinking a lot. The second indication was the high amount of traffic seen for the specific backend in haproxy. Later I also discovered the actual power use of the server was higher.
The wordpress blog software is a popular target for attacks. I normally have
fail2ban running with some rules to detect bad things on sites behind haproxy
but due to some other work on the firewall rules I had fail2ban temporarily
disabled.
Someone/something at IP address 51.103.24.29 (A Microsoft-managed IPv4
address) noticed this and fired off a brute force script which ended up making
521525 attempts at logging in, none of which worked. It was stopped when I
enabled fail2ban again.
The first indication of interesting amounts of things happening was that the
disc i/o led of the server was blinking a lot. The second indication was
the high amount of traffic seen for the specific backend in haproxy.
Later I also discovered the actual power use of the server was higher.