Thanks for the response.
I searched the detail of every attack, long and tedious but turns out that it was a small number of ip addresses in China.
Drupal has now blocked ips and a Rule redirection works well taking blocked IPs off site. Rule is set to a high minus number so it has precedence. Also reacts to "page not found" error. Rules sends an email to me reporting attempts and entries are not logged. After 5 faulty attempts to login an ip is blocked for 60 minutes.
I would like email notification of new ips but do not understand how to do that. I can't find how to get a View to display specific info from Reports. Views seem to only react to user content.
At lease I can monitor somewhat. In the start there were quite a number of attempts now it's a few a day and I can see instantly what and when without entering the site. thanks again Roger
There is also the restrict_ip module[1] which does the opposite of what the cor ip blocking function does and you have to provide the list of allowed addresses, everyone else gets access denied.
https://drupal.org/project/issues/restrict_ip?categories=bug
-
Roger