A day in the life of a small business server under attack

Last reviewed: 18 July 2026

You've rented a server for your website or email, opened the logs for the first time, and found page after page of failed login attempts from countries you've never done business with. It looks like someone has singled you out. Almost certainly, nobody has. This page walks through what those logs actually show on an ordinary day, why the noise is normal, and the short list of things that genuinely keep a small server safe.

Minute one: the door handles get rattled

Put a fresh server on the internet and the first login attempts arrive before you've finished setting it up — often within minutes. They're not aimed at you. Automated scanners sweep the entire public internet around the clock, knocking on every address they find. When your server comes online, it simply joins the list.

The first wave goes for SSH, the remote-admin door on most Linux servers. The log fills with failed logins for usernames like "admin", "root", "test" and "user", each trying passwords from lists of millions harvested in old breaches. A different address every few tries, all day, every day. It reads like a siege. It's closer to weather.

Mid-morning: the WordPress prodding

The web logs tell a second story. Bots request the WordPress login page whether or not you run WordPress. They ask for old plugin files with known holes, forgotten backup archives, database admin panels, configuration files someone might have left in a public folder. Each request takes a fraction of a second, costs the attacker nothing, and gets logged. Multiply by every bot fleet on the internet and you get the steady background hum of any web server's access log.

The logic is brutally simple: the bots aren't looking for you, they're looking for anyone who hasn't patched. A thousand misses and one hit still pays.

Afternoon: the mail server gets the same treatment

Run your own mail and a third pattern appears: connection after connection trying to log in to email accounts with breached username-and-password pairs — credential stuffing. Others probe whether your server will forward mail for strangers, hunting for an open relay to pump spam through. A correctly configured mail server refuses all of it and writes each refusal to the log, which is exactly the pile of entries you're staring at.

Why this is normal, not personal

All of this is untargeted. Nobody chose your business; software chose your address, along with millions of others, because it exists. That distinction matters because it tells you what actually protects you. Against automated background noise you don't need to out-think an adversary — you need to not be the unpatched, password-guessable server the bots are sifting for. The noise never stops, and chasing individual entries in the log is wasted effort. What you want is a doorman.

What fail2ban does

fail2ban is a small free tool that does one job well: it watches your logs, and when one address keeps failing — wrong SSH passwords, hammering the login page, failed mail logins — it tells the firewall to drop that address for a while. Bans expire on their own; persistent offenders get banned again.

The effect on the logs is dramatic. The endless retry chains collapse: an address gets its handful of failures, gets banned, and disappears. Password guessing only works at thousands of attempts; cut each attacker to a few tries and the maths stops working. fail2ban won't stop a determined human, and it doesn't patch anything — it's noise-cancelling, not armour. But it removes the brute-force route entirely and leaves your logs quiet enough that a genuine problem stands out.

The short list that actually keeps a server safe

Four habits do more than any product you can buy:

fail2ban sits alongside those four as the noise filter. It's not a substitute for any of them.

When the noise is worth a second look

Two things justify escalating: failed logins using real staff names rather than generic ones, which suggests someone researched you; and any successful login you can't account for. The first means it may be targeted; the second means assume compromise and get help immediately, starting with changing credentials from a machine you trust. Everything else in the log — the endless generic guessing — is just the internet being the internet.

The short version: Every internet-facing server logs a constant stream of automated break-in attempts within minutes of going online — SSH password guessing, WordPress and vulnerability probes, mail credential stuffing. It's untargeted background noise, not a campaign against you. fail2ban watches the logs and firewall-bans repeat offenders, which kills brute-force attempts and makes real anomalies visible. Actual safety comes from four habits: key-based logins, prompt updates, minimal open ports, and tested backups.

General guidance only — server security depends on your specific setup, so have yours reviewed by someone who manages servers for a living.