Ali Akkawi 0 Posted July 24, 2023 Share Posted July 24, 2023 I noticed with several brute force attacks from different sources for several days. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,278 Posted July 24, 2023 Administrators Share Posted July 24, 2023 It's typical of servers or machines that are directly accessible from the Internet. Isn't that the case? Link to comment Share on other sites More sharing options...
Ali Akkawi 0 Posted July 24, 2023 Author Share Posted July 24, 2023 Yes. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,278 Posted July 24, 2023 Administrators Share Posted July 24, 2023 So... In order to prevent the malicious communication from reaching the server where ESET detects it, blocks it and logs it, put a firewall before the server and filter the communication there depending on what services run on the server and must be accessible from the Internet. Peter Randziak 1 Link to comment Share on other sites More sharing options...
Ali Akkawi 0 Posted July 24, 2023 Author Share Posted July 24, 2023 Ok for the firewall. But such situation can be considered as attack since some of the source IP addresses were blacklisted by ESET as shown by the figure? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,278 Posted July 24, 2023 Administrators Share Posted July 24, 2023 Of course, computers directly accessible from the Internet are continually being attacked. If the communication cannot be restricted on a firewall, e.g. because the server works as a web or mail server, it should be always kept up to date and protected against exploitation. Still, you could use a firewall and restrict communication to desired ports or remote IP addresses or subnets, e.g. when it comes to RDP communication from outside. Peter Randziak 1 Link to comment Share on other sites More sharing options...
Ali Akkawi 0 Posted July 24, 2023 Author Share Posted July 24, 2023 How to know the username who attempt the attack? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,278 Posted July 24, 2023 Administrators Share Posted July 24, 2023 Why username? There's not any. You see the remote IP in the logs. Link to comment Share on other sites More sharing options...
Ali Akkawi 0 Posted July 24, 2023 Author Share Posted July 24, 2023 I know but in some cases the username will give me some indications who can initiate such attempt. Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,278 Posted July 24, 2023 Administrators Solution Share Posted July 24, 2023 A username can be sent only after establishing a connection which doesn't happen if it's blocked due to a blacklisted IP address. However, the brute-force attack detection blocks communication if several wrong login attempts have been attempted. Link to comment Share on other sites More sharing options...
Recommended Posts