Failed login notifications have alerted me to strange behaviour affecting a handful of people every day.
Users login, do not logout but immediately sometimes over a hundred 'Login failed for user 'xxxxxxx'. Most likely the password did not match (error ID '3').' are logged in the same minute that the login occurred and from the same IP. I see that most are able to login later, usually from a different IP.
We have a high traffic server, use ldaps AD authentication, secure cookies and sessions are stored in the file system.
I have no idea how to proceed to get to the bottom of this. Any advice would be greatly appreciated.
Ubuntu 16.04, PHP 7.0, MySQL 5.7, Moodle 3.5