Notable Threat
IP 176.120.22.47, registered in Russia and operated by Proton66 OOO (AS198953), is a high-risk address with an 8/10 threat level that has accumulated 881 abuse reports from 20 automated honeypot sensors over a three-month period ending in March 2026, with SSH brute-force activity dominating the threat landscape.
The detection data reveals a pattern consistent with an established, persistent threat actor: 881 total reports across a relatively short 90-day window, with 19 of the most recent reports specifically categorised as SSH attacks alongside Hacking and Brute-Force variants. The activity frequency score of 0/10 indicates that the IP does not maintain constant connectivity but rather engages in irregular, burst-style campaigns — a characteristic often associated with actors cycling through large volumes of sources to evade rate-based defences. The fail2ban pattern data confirms this is not a first-time offender; multiple recidive violations (five per instance) across both sshd and recidive jail chains indicate this address has been blocked, returned, and blocked again, earning it a multi-jail offender designation. Despite a confidence score of 66%, the sheer volume and consistency of reporting from 20 independent sensor sources establish a credible threat profile.
SSH brute-force attacks represent one of the most common initial-access vectors in internet-facing infrastructure. An attacker systematically guessing authentication credentials against an exposed SSH daemon can achieve domain administrator or root-level compromise within hours if weak or default passwords remain in use. Once access is obtained, threat actors typically deploy persistence mechanisms, cryptocurrency miners or pivot laterally to adjacent systems within the same network segment. The recidive classification observed in the pattern data suggests this particular IP has been blocked previously yet continues to target new honeypot sensors — indicating either automated tooling that ignores blocklists or a deliberate strategy of rotating through compromised infrastructure to resume attacks.
Site operators running publicly accessible SSH services should treat IP 176.120.22.47 as a confirmed malicious source and block it at the network perimeter immediately. Implement fail2ban or equivalent rate-limiting tools to automatically ban IPs after a threshold of failed authentication attempts, and enforce key-based authentication exclusively while disabling password-based login and root access via SSH configuration. Exposing SSH on non-standard ports offers marginal obfuscation but should supplement, not replace, strong credential and access-control policies. Continuous monitoring of authentication logs and deployment of intrusion-detection systems will further reduce the window of opportunity for automated intrusion attempts from addresses like this one.
FR 
HK 
SE 
VN