Maximum Danger
IP 196.251.81.79 is a high-risk address assigned to the Seychelles network operator CHEAPY-HOST (AS401120) that has accumulated a substantial volume of abuse reports centered on SSH attack activity, warranting immediate blocking or strict access controls for any exposed services. With a threat-level score of 10 out of 10 and a total of 400 reports filed against this address, the IP presents a credible and ongoing risk to internet-facing servers that operate SSH daemons. The detection confidence of 69 percent reflects a well-established pattern of malicious behavior recorded across automated honeypot sensors over a three-month observation window between September and November 2025, making this one of the more consistently reported addresses in recent threat-intelligence collections.
Analysis of the submitted reports reveals that all recent threat-category filings map to SSH-targeted activity, with automated honeypot sensors accounting for the entirety of the detection volume. The 400 total reports represent a significant abuse history, while the 20 most recent reports confirm that SSH remains the dominant and current attack vector associated with this IP. Geographically, the Seychelles registration and the CHEAPY-HOST autonomous system assignment place this source within a network topology frequently associated with transient or bulletproof hosting infrastructure, which aligns with the observed pattern of repeated scanning and brute-force attempts across multiple targets. The activity-frequency metric of zero suggests that while the historical record is extensive, recent detections have tapered since the last reported contact in November 2025.
SSH brute-force attacks, the sole threat category attributed to 196.251.81.79, represent one of the most common and effective initial-access techniques employed by threat actors to compromise Linux servers and network appliances. By systematically guessing authentication credentials against exposed SSH ports, an attacker can achieve privileged remote access to a target system, enabling data exfiltration, lateral movement within a network, or deployment of secondary payloads such as cryptocurrency miners and ransomware. The scale of reporting against this IP — spanning hundreds of independent detections — indicates sustained intent rather than opportunistic probing, meaning any organization with port 22 publicly accessible faces a non-trivial probability of being included in this address's targeting scan.
NL 
FR 
PE 
CH 
GB 
HK