Critical Threat
80.94.95.112 is a critical-risk address linked to SSH brute-force attacks that has accumulated 3047 abuse reports from automated honeypot sensors since August 2025, with its activity concentrated through October 2025. Originating from Romania under network operator SS-Net (ASN AS204428), this IP presents a severe threat to any exposed SSH services due to its high-volume automated credential-guessing behaviour.
Detection data confirms 3047 independent reports sourced from 20 automated honeypot sensors, yielding a maximum threat score of 10/10 despite a 61% confidence rating. The 0/10 activity frequency metric indicates concentrated burst activity rather than a persistent background hum, consistent with scripted attack campaigns that periodically intensify. The IP was first reported in August 2025 and remained active through October 2025, establishing a multi-month threat presence. The honeypot-sourced reports specifically document SSH brute-force attempt patterns targeting authentication interfaces, with Romania and ASN AS204428 providing the geographic and network context for this malicious infrastructure.
SSH brute-force attacks represent a direct pathway to server compromise through systematic automated guessing of login credentials. Attackers deploying this technique cycle through common username-password combinations at high speed, exploiting weak or default credentials to gain shell access. Once inside, threat actors can establish persistent access, exfiltrate data, pivot to internal systems or deploy additional payloads. The volume of reports from 80.94.95.112 indicates sustained, high-intensity targeting that could overwhelm standard authentication logs and evade detection by sheer throughput. Any SSH service reachable from this address faces imminent credential-stuffing risk.
Site operators should immediately block 80.94.95.112 at the firewall level given its confirmed malicious history. Enforcing key-based authentication instead of password-based login eliminates the attack vector entirely for exposed services. Port-knocking or moving SSH to a non-standard port reduces exposure to automated scanners. Deploying intrusion-prevention tools such as fail2ban to dynamically ban repeat offenders after failed login attempts adds a critical layer of hardening. Continuous monitoring of authentication logs for the activity signature associated with this address remains essential for early detection of compromise attempts.
JP 
HK 
GB