Forensic reconstruction from access.log — 780 requests, single 24-hour window.
Baseline traffic holds at ~19–36 requests/hour all day. Hour 03 spikes to 173 — a ~6× surge that is the brute-force burst.
All events below are from IP 203.0.113.66 — 140 requests total.
Every figure computed directly from the log.
Enforce per-IP rate limiting with automatic lockout after a handful of failed logins (e.g. 5 failures in 15 minutes) plus mandatory MFA on /api/login, which would have halted the 137-attempt burst from 203.0.113.66 after the first few tries.