Notable Threat
IP 130.12.181.104, allocated to Netiface LLC and geolocated in Germany, is a high-risk address with a threat level of 8/10 and a confidence score of 86%, primarily linked to sustained SSH brute-force attack campaigns. This IP has generated 3,224 abuse reports through automated honeypot sensors since its first appearance in January 2026, with the most recent activity recorded in April 2026, indicating a persistent and sustained attacking profile over at least four months of active operation.
The detection data reveals a concentrated threat pattern: 20 of the 24 most recent reports categorised this IP under SSH attacks, while 2 reports cited general hacking activity and 2 referenced brute-force behaviour. The volume of 3,224 total reports, combined with an activity frequency rating of 4/10, suggests this address is not a transient or opportunistic scanner but rather part of a sustained campaign. Fail2ban logs from compromised honeypot environments document multiple violation clusters, including instances of 184, 170, 45, and 42 violations per event cycle, with several encounters escalating to recidive status, meaning the source repeatedly triggered defensive blocks and returned to continue its attacks — a hallmark of automated, persistent infrastructure rather than isolated probing.
SSH brute-force attacks represent a concrete and significant threat to any exposed server listening on port 22. Attackers systematically iterate through username and password combinations to gain unauthenticated access to shell accounts, enabling data theft, lateral movement within networks, deployment of secondary payloads, or conversion of the target into part of a botnet. The recidive behaviour observed in the logs indicates this source continues its attempts even after triggering repeated bans, meaning standard single-layer blocking alone may be insufficient to deter the operator behind this address.
Site operators with exposed SSH services should immediately block or rate-limit traffic from IP 130.12.181.104 at the firewall level. Implement key-based authentication exclusively and disable password-based SSH login entirely to neutralise the attacker's primary vector. Configure fail2ban with aggressive SSH jail parameters and enable the recidive jail to maintain extended blocks on repeat offenders. Additionally, consider relocating SSH to a non-standard port, disabling root login, and enforcing multi-factor authentication as layered defences that reduce the effectiveness of brute-force campaigns against your infrastructure.
SI 
AE 
HK 
RO 
IT