Critical Alert
IP 138.68.155.239 is a critical-risk address that has generated 1,990 abuse reports from automated honeypot sensors, with SSH brute-force activity confirmed across multiple detection points over a roughly eight-month observation window spanning August 2025 through April 2026. The threat level is scored at the maximum 10/10, indicating severe and persistent malicious behavior that poses an immediate danger to any exposed SSH service.
The IP is registered to DigitalOcean's ASN 14061 infrastructure and geolocated to the United Kingdom, though cloud-hosted IPs frequently serve as anonymized staging points for threat actors operating from elsewhere. A total of 20 independent honeypot sensors contributed reports, with the dominant threat category being general hacking activity (18 reports) alongside dedicated SSH attack signatures (2 reports). The fail2ban logs associated with this address document 25 violations per incident across multiple observations, indicating systematic, repeated authentication attacks against SSH daemons. Suricata sensors also flagged an SSH session attempt on an unusual port, suggesting the actor may rotate destination ports to evade basic detection rules. The high report volume combined with the low activity-frequency score (0/10) implies bursts of concentrated scanning followed by dormancy, a pattern consistent with coordinated credential-stuffing campaigns.
SSH brute-force attacks represent one of the most prevalent initial-access vectors in internet-facing environments. Attackers automating authentication attempts against default SSH ports (22) can compromise weak or default credentials within hours, granting threat actors persistent shell access, lateral-movement capability and a foothold for data exfiltration or further exploitation. The detection of sessions on unconventional ports signals that this actor employs evasion techniques beyond naive password spraying, increasing the likelihood that standard blocklist-only defenses will prove insufficient. With 1,990 reports accumulated across an extended timeframe, this address demonstrates persistent, deliberate targeting rather than opportunistic noise.
Site operators should immediately block or rate-limit connections from 138.68.155.239 at the network perimeter and implement deny-by-default firewall rules for all non-essential inbound traffic. Switching to key-based SSH authentication, disabling root login and moving the SSH daemon to a non-standard port substantially raise the barrier against automated attacks. Deploying tools such as fail2ban or analogous intrusion-prevention systems can dynamically ban repeat offenders after a configurable threshold of failed attempts. Continuous monitoring of authentication logs and integration of this IP into community blocklists will further reduce exposure and support proactive threat hunting across the network.
NL 
UA 
CO 
CA 
VN