Several SMB.Attack.Bruteforce from different sources for several days.

[Ali Akkawi 0]

I noticed with several brute force attacks from different sources for several days. 

[Marcos 5,741]

It's typical of servers or machines that are directly accessible from the Internet. Isn't that the case?

[Ali Akkawi 0]

Yes.

[Marcos 5,741]

So... In order to prevent the malicious communication from reaching the server where ESET detects it, blocks it and logs it, put a firewall before the server and filter the communication there depending on what services run on the server and must be accessible from the Internet.

[Ali Akkawi 0]

Ok for the firewall. But such situation can be considered as attack since some of the source IP addresses were blacklisted by ESET as shown by the figure?

[Marcos 5,741]

Of course, computers directly accessible from the Internet are continually being attacked. If the communication cannot be restricted on a firewall, e.g. because the server works as a web or mail server, it should be always kept up to date and protected against exploitation. Still, you could use a firewall and restrict communication to desired ports or remote IP addresses or subnets, e.g. when it comes to RDP communication from outside.

[Ali Akkawi 0]

How to know the username who attempt the attack?

[Marcos 5,741]

Why username? There's not any. You see the remote IP in the logs.

[Ali Akkawi 0]

I know but in some cases the username will give me some indications who can initiate such attempt.

[Marcos 5,741]

A username can be sent only after establishing a connection which doesn't happen if it's blocked due to a blacklisted IP address. However, the brute-force attack detection blocks communication if several wrong login attempts have been attempted.