Severe Risk
IP 157.20.207.165 is a critical-risk address originating from Indonesia that has been identified as an active SSH brute-force attack source, with automated honeypot sensors logging over 1,300 abuse reports spanning approximately eight months of sustained malicious activity. The IP, operating under ASN 152436 on the ERATELINDO network, carries a maximum threat score of 10/10 and a confidence rating of 75 percent, indicating a reliable attribution of hostile intent. This address represents both a persistent attack platform and potentially a compromised host itself, as evidenced by the reported exploitation classifications alongside active intrusion attempts.
The detection profile for 157.20.207.165 reveals concentrated, credential-focused assault activity. Of the 1,351 total reports, SSH-related incidents dominate overwhelmingly, complemented by general hacking probes and exploited-host classifications. Sensors documented dozens of discrete brute-force events, with multiple violations recorded against sshd services and Suricata alerts flagging repeated SSH session attempts on expected ports. The activity frequency of 5/10 suggests consistent, ongoing engagement rather than sporadic scanning, and the nine-month reporting window from September 2025 through May 2026 demonstrates sustained commitment to unauthorized access attempts against exposed SSH endpoints.
SSH brute-force attacks pose a concrete and immediate threat to any exposed server accepting password-based authentication. Attackers systematically iterate through credential combinations to gain shell access, potentially achieving root-level compromise of vulnerable Linux and Unix systems. Once obtained, such access enables data exfiltration, malware deployment, lateral network movement, and incorporation of the compromised server into botnets. The presence of exploited-host classifications suggests this Indonesian address may already be under attacker control, functioning as a relay point without the knowledge of its legitimate operator—meaning blocking the IP protects against both direct threats and unwitting participation in broader attack campaigns.
Site operators should immediately block 157.20.207.165 at the firewall level and monitor logs for any successful authentication attempts. Implementing key-based authentication exclusively, disabling root login, and changing the default SSH port significantly reduces vulnerability to automated brute-force tooling. Deploying fail2ban or equivalent intrusion-prevention utilities will dynamically ban repeat offenders based on failed login thresholds. Organizations should also consider notifying the ERATELINDO network operator regarding the compromised-host indicators, as this assists in remediation of the source system and contributes to broader threat reduction across the internet ecosystem.
KR 
UA 
RO 
MX 
UG 
FR 
CA