Extreme Threat
IP 95.167.225.76 is a high-risk address operated by Rostelecom (AS12389) in Russia that has been actively conducting SSH brute-force attacks against exposed servers since February 2026, according to automated honeypot sensors that logged 176 total reports with a threat level of 10 out of 10 and a 92 percent confidence rating.
The address was first reported in February 2026 with its most recent activity recorded in May 2026, indicating sustained malicious behavior over approximately four months. Detection systems flagged 20 SSH-related incidents, three general hacking attempts and one instance where the IP was identified as an exploited host being used as an attack platform. The automated honeypot network documented 25 fail2ban violations specifically tied to sshd brute-force activity, while Suricata sensors detected ongoing SSH sessions on expected ports consistent with credential-guessing campaigns. The moderate activity frequency rating of 5 out of 10 suggests persistent rather than burst-based behavior, typical of automated scanning tools that maintain long engagement windows to maximize their chances of success against poorly configured SSH services.
SSH brute-force attacks represent a concrete and widespread threat to any server running an exposed SSH daemon, with attackers systematically cycling through username and password combinations to gain unauthorized administrative access. Once compromised through weak credentials, servers can be weaponized for data theft, lateral movement within networks, cryptomining or recruitment into botnets. The detection of Suricata alerts confirming active SSH sessions on expected ports indicates that this Rostelecom address was not merely scanning but actively engaging with target services in real time, suggesting either a compromised system under attacker control or a dedicated attack infrastructure. The presence of an exploited-host classification further indicates this address may itself be part of a chain of compromised machines amplifying the threat landscape.
Site operators should immediately block IP 95.167.225.76 at the firewall level and implement key-based authentication for all SSH access while disabling password-based login entirely. Changing the default SSH port from 22 reduces exposure to automated scanning campaigns, and deploying fail2ban or similar intrusion prevention tools can automatically ban IP addresses exhibiting brute-force patterns. Enforcing strong password policies, disabling root login over SSH and maintaining regular patch cycles for SSH daemons will further harden exposure. Operators who detect matching attack signatures should preserve logs for incident review and consider notifying Rostelecom if the compromised-host classification indicates the source address itself may be under unauthorized control.
RO 
PL