Not sure what happened.

Someone was able to change a number of settings on my minera setup. I was exposing the web port (I know, bad bad), but I had changed the default web password. However, that said, they were still able to change my pool, added their IP to the cgminer API whitelist, as well as changed the web password for minera so I could not log in.

At any rate, where do the failed login attempts get logged to (is there a log file some place)? I'd like to try and setup Fail2Ban, so this hopefully doesn't happen again in the future?

[EDIT]
Some more details, for anyone that cares.

Here is the IP that was added to the whitelist: 93.183.238.234
Here is the Pools they added:

stratum+tcp://scrypt.hk.nicehash.com:3333,3PrTbZQaWJL9b3Uq6vEMgkgLHiZoRWTMmL.152,x
stratum+tcp://litecoinpool.org:3333,newvol.2,1

They also removed those pools (probably after realizing I only have 40 GH/s on a couple of stick miners :-)

They then left my old pools, but changed the usernames to their own BTC addresses to gather the dust I produce.