Sustained Dictionary Attack against pcAnywhere on Business Server

Small Doctor's office running Windows 2003 on their Server behind a Linksys WRT54G wireless router.

Since I started logging all the events on pcAnywhere on Oct. 22nd of this year, there has been a sustained dictionary attack against the open Host of pcAnywhere.  Attack frequency is anywhere from 5 times a minute to 5 times an hour, with periodic breaks of 1 or 2 hours.  Usernames entered are sometimes alphabetical, sometimes not.  Usernames entered are generic, such as "workstation", "user", "admin", personal pronouns, and business related such as "kfc".

I've increased the password security to 9 digit, alpha, numeric and special characters, and I'm confident that this will delay the hack for centuries, but the client is aware of it's ongoing nature, as am I, and then there is also the principal of the thing.  I'm more of an onsite Tech, less of a Security person, so I know a lot about some things, and nothing at all about others.  And I have questions.

1)  Is there something critical that I need to do, as in RIGHT NOW?

2)  Is there a way to find out what IP(s) are initiating the attack?

3)  Is there a way to report the attack, assuming that it is coming from a single IP, or IP block?

4)  Is there something about pcAnywhere that "invited" this attack, such as a response to a particular "ping", i.e. attacker pings "Is pcAnywhere installed at this IP address", and pcAnywhere responds "Yes".  If so, can this be turned off?  Or is this required to make the software available for connection to "friendly" computers?  (I assume choice "B", but am asking anyways.)
 

5)  I understand the WRT54G will not allow blocking of undesired IP Addresses, but is there a way to do this from pcAnywhere?  Will a 3rd part firewall guarantee that the attacker can never connect?  We could whitelist 5 or less IP Address and exclude everyone else and be just fine.  Zone Alarm used to be "the" software firewall to get, years ago.  Is it still considered heavy-duty?  Will it exclude connections based on IP Address?

6)  And any other questions I should have asked, but did not.