Notable Threat
IP 87.121.84.30 is a high-risk address operated by Vpsvault.host Ltd under ASN AS215925 in the United States, identified through automated honeypot sensors as a persistent source of SSH brute-force attacks with a threat level rating of 8/10 and a perfect confidence score of 100 percent based on 295 total abuse reports.
Analysis of the submitted reports indicates sustained malicious activity spanning approximately four months, with the first documented incident recorded in January 2026 and the most recent reports received in April 2026. The 295 total reports originated exclusively from automated honeypot detection systems, with the dominant threat category being SSH-related attacks. Supplementary fail2ban logs revealed individual detection events capturing 26 and 25 SSH violation incidents respectively, confirming systematic and repeated brute-force authentication attempts against exposed SSH services. The activity frequency rating of 3/10 suggests the scanning behavior occurs on a regular but measured cadence rather than representing a single concentrated burst, indicating a methodical, sustained campaign rather than opportunistic opportunistic probing.
SSH brute-force attacks represent one of the most common and financially motivated threat vectors targeting internet-facing servers worldwide, with actors systematically attempting username and password combinations to compromise authentication credentials and gain unauthorized shell access. Successful authentication grants adversaries a foothold within the target environment, enabling data exfiltration, cryptocurrency mining, lateral movement across internal networks, or integration into botnets for distributed denial-of-service operations. The sustained nature of the activity recorded from this IP demonstrates an automated, high-volume approach designed to exploit weak or default credentials across a broad attack surface.
Organizations exposing SSH services to the internet should immediately implement key-based authentication as the primary login mechanism while disabling password-based authentication entirely. Configuring fail2ban to dynamically block repeat offenders after a threshold of failed authentication attempts will significantly reduce the effectiveness of this IP's scanning campaign. Operators should also consider relocating SSH to a non-standard port, disabling direct root login, and enforcing strong passphrase policies for any accounts that must retain password authentication. Continuous monitoring of authentication logs combined with automated threat intelligence feed integration will enable timely blocking of known malicious sources such as 87.121.84.30.
LK 
BG 
AU 
LT 
JP 
VN 
FR