Severe Risk
IP address 180.153.91.15 is a high-risk address linked to SSH brute-force attacks, originating from China Telecom Group's network infrastructure in China. With a maximum threat level of 10/10 and 1423 total abuse reports spanning from October 2025 to May 2026, this address represents one of the most consistently hostile sources targeting SSH services observed by automated honeypot sensors during that period. Despite a relatively modest activity frequency rating of 2/10, the sheer volume of reports indicates persistent, deliberate targeting rather than incidental scanning.
The 1423 reports attributed to 180.153.91.15 were generated by 20 distinct automated honeypot sensors, providing substantial corroboration across multiple monitoring points. Fail2ban violation logs from these sensors documented recurring sshd brute-force attempts, with individual capture sessions recording 25 and 10 violations respectively, confirming sustained credential-guessing campaigns. Detection data further revealed active SSH session establishment and command input, indicating that attackers successfully reached interactive authentication stages during their intrusion attempts. The geographic and network attribution to AS4812 under China Telecom Group positions this activity within a major telecommunications provider serving millions of end users.
SSH brute-force attacks systematically test username and password combinations against exposed SSH daemons to gain unauthorized server access. Once inside, attackers can establish persistent footholds, exfiltrate sensitive data, install additional malicious tooling, and pivot laterally across connected systems. The sustained pattern observed from 180.153.91.15, combining high report counts with successful command input in honeypot environments, demonstrates that the operator behind this address is actively engaged in credential compromise campaigns rather than mere reconnaissance. The confidence score of 66% reflects legitimate detection of hostile intent while acknowledging the inherent uncertainty in attributing network activity to specific malicious actors.
Site operators should block traffic from 180.153.91.15 at the firewall or network edge immediately. SSH services should be hardened by disabling password-based authentication in favor of public key authentication, changing the default listening port, and disabling direct root login. Deploying fail2ban to automatically ban IPs after repeated authentication failures provides an effective automated defensive layer against brute-force attempts. Regular monitoring of authentication logs for unusual patterns, combined with timely system patching and strong password policies for any remaining password-authenticated accounts, will further reduce exposure to intrusion attempts originating from addresses like this one.
HK 
UA 
GB