Ali Akkawi 0 Posted July 24, 2023 Posted July 24, 2023 I noticed with several brute force attacks from different sources for several days.
Administrators Marcos 5,741 Posted July 24, 2023 Administrators Posted July 24, 2023 It's typical of servers or machines that are directly accessible from the Internet. Isn't that the case?
Administrators Marcos 5,741 Posted July 24, 2023 Administrators Posted July 24, 2023 So... In order to prevent the malicious communication from reaching the server where ESET detects it, blocks it and logs it, put a firewall before the server and filter the communication there depending on what services run on the server and must be accessible from the Internet. Peter Randziak 1
Ali Akkawi 0 Posted July 24, 2023 Author Posted July 24, 2023 Ok for the firewall. But such situation can be considered as attack since some of the source IP addresses were blacklisted by ESET as shown by the figure?
Administrators Marcos 5,741 Posted July 24, 2023 Administrators Posted July 24, 2023 Of course, computers directly accessible from the Internet are continually being attacked. If the communication cannot be restricted on a firewall, e.g. because the server works as a web or mail server, it should be always kept up to date and protected against exploitation. Still, you could use a firewall and restrict communication to desired ports or remote IP addresses or subnets, e.g. when it comes to RDP communication from outside. Peter Randziak 1
Ali Akkawi 0 Posted July 24, 2023 Author Posted July 24, 2023 How to know the username who attempt the attack?
Administrators Marcos 5,741 Posted July 24, 2023 Administrators Posted July 24, 2023 Why username? There's not any. You see the remote IP in the logs.
Ali Akkawi 0 Posted July 24, 2023 Author Posted July 24, 2023 I know but in some cases the username will give me some indications who can initiate such attempt.
Administrators Solution Marcos 5,741 Posted July 24, 2023 Administrators Solution Posted July 24, 2023 A username can be sent only after establishing a connection which doesn't happen if it's blocked due to a blacklisted IP address. However, the brute-force attack detection blocks communication if several wrong login attempts have been attempted.
Recommended Posts