Significant Threat
IP 87.251.64.149 is a high-risk address associated with SSH brute-force attacks, originating from network infrastructure operated by ISAEV Igor in the United States. With 417 total abuse reports and a threat level of 8 out of 10, this IP demonstrates persistent malicious behavior that poses a concrete risk to any exposed SSH service. The address was first reported in April 2026 and most recently documented in May 2026, indicating an active campaign during that period.
Automated honeypot sensors across the security community recorded 417 reports tied to this address, with 20 recent reports specifically categorizing the activity as SSH-based intrusion attempts. The attack frequency rating of 8 out of 10 further confirms sustained, repeated targeting rather than isolated probes. The fail2ban pattern data extracted from these detections shows consistent sshd brute-force signatures, with multiple violation clusters recorded against exposed honeypot sensors. The 93% confidence score means the threat attribution is highly reliable, and the geographic and ASN context places the activity within infrastructure associated with a named individual operator.
SSH brute-force attacks represent one of the most common initial access vectors used by threat actors to compromise Linux servers and network devices. By systematically guessing common username and password combinations, attackers attempt to gain authenticated shell access to target systems. Once inside, they can deploy backdoors, exfiltrate data, or use the compromised host as a pivot point for lateral movement within a network. The volume and persistence of reports against IP 87.251.64.149 indicate an automated, high-volume operation likely running from a botnet or rented attack infrastructure.
Organizations with publicly accessible SSH services should immediately block IP 87.251.64.149 at the network perimeter firewall or via intrusion prevention systems. Implementing key-based authentication exclusively and disabling password-based login eliminates the attacker's primary vector. Configuring fail2ban to monitor authentication logs and dynamically ban repeat offenders provides an additional automated defense layer. Operators should also consider changing the default SSH listening port, disabling root login, and enforcing strong passphrase policies for any accounts that must retain password authentication. Continuous monitoring of authentication logs for source IP 87.251.64.149 is strongly recommended.
PL 
MU 
MX 
SC 
UA 
RO 
EG