I am not a star in analyzing log files, but I had the impression that the amount of attacks we had should not cause the site to stop functioning. It wasn’t a generic server issue as it had enough resources to work with and I could just log in as root. The only thing that happened was that 4 of the 8 threads we can run in parallel were at 100% causing PHP-FPM to stop functioning. I changed the configuration parameters and found a set that allowed the site to keep functioning even with all 8 threads at 100% and blocked some Lithuanian IPs in the process. That actually took more time than I thought as the way the documentation says it loads the various configuration files is not how it is implemented apparently. What was left at that moment was a brute force attack for a mysql injection from a single IP, which I blocked.
As to why, I see regular attacks for mail accounts, so our mail server could be used for sending out spam mails. I see about 100 tries a day to get direct access to the server and every now and then someone is doing brute force attacks to detect a mysql injection, which can also used to get access to the server. Up to now all without any success fortunately.
As far as the time it took to solve this, well I have a full-time job, so I could only work on it when I got home