Critical Threat
IP 87.121.84.80, registered to Vpsvault.host Ltd under ASN AS215925 and geolocated in the United States, presents a critical threat level of 10/10 with 97% confidence based on 210 abuse reports gathered from 20 automated honeypot sensors between March and April 2026. The dominant threat vector is SSH brute-force activity, with secondary hacking and general brute-force categories contributing to the overall risk profile. With an activity frequency rated at 3/10, this address represents a persistent, systematic attacker rather than a opportunistic probe, making it especially dangerous for any exposed SSH services.
The detection data reveals a relentless campaign targeting Secure Shell authentication across multiple victim systems. Fail2ban logs document repeated SSH brute-force violations ranging from 25 to 74 detections per instance, alongside consistent recidive classification indicating this address has been blocked multiple times for multi-jail offending. The volume of 210 total reports concentrated within a two-month window, combined with the recidive pattern, demonstrates an automated, high-volume credential attack infrastructure operated through a commercial hosting provider. The consistent targeting of SSH suggests the attacker is seeking to compromise Linux or Unix-based servers for purposes that may include data exfiltration, cryptomining, botnet recruitment, or lateral network movement.
SSH brute-force attacks represent one of the most common initial access vectors in server compromise, exploiting weak or default credentials to gain shell access. Once authenticated, an attacker can execute arbitrary commands, install persistent backdoors, escalate privileges, and pivot to adjacent systems. The automated nature of these attacks means servers with exposed SSH on standard ports and password-based authentication face constant, distributed guessing attempts that eventually succeed against insufficiently protected deployments. The recidive behavior observed here indicates standard blocklists alone have proven insufficient to deter this actor, requiring more robust countermeasures.
Organizations with SSH services exposed to this IP address should block 87.121.84.80 at the network perimeter immediately. Beyond simple blocking, administrators should disable password-based SSH authentication entirely and deploy public key authentication with strong key pairs. Changing the default SSH listening port reduces automated attack surface significantly. Implementing fail2ban or similar dynamic blocklisting tools provides automated response to repeated authentication failures. Enforcing multi-factor authentication for privileged SSH access adds a critical security layer even if credentials are compromised. Regular monitoring of authentication logs for unusual source IPs and implementing account lockout policies further harden defenses against credential-based intrusion attempts.
KR 
SC