Critical Alert
IP 103.2.225.33 is a critical-risk address operating from Vietnam that has been consistently flagged for SSH brute-force attack activity, with 184 independent abuse reports filed against this single address over a five-month observation window ending in March 2026. Despite a modest activity frequency score of 0/10, the sheer volume of automated honeypot sensor detections and the maximum threat-level rating establish this as one of the more persistently malicious IPs in recent regional telemetry.
Community-driven reporting and automated honeypot sensors recorded 184 total incidents, with the current reported threat category dominated entirely by SSH activity—specifically 20 recent reports all catalogued under SSH. The attack-pattern logs reveal repeated fail2ban trigger events across multiple honeypot instances, with violation counts ranging from 10 to 26 per detection cycle, indicating sustained, multi-wave authentication guessing campaigns. The originating network is AS131423, operated by Branch of Long Van System Solution JSC based in Hanoi, Vietnam. The address was first reported in October 2025 and most recently flagged in March 2026, spanning approximately five months of continuous hostile activity.
SSH brute-force attacks represent one of the most common and effective initial-access vectors in network intrusion campaigns. Attackers systematically automate credential-guessing attempts against exposed SSH daemons, exploiting weak or default passwords to gain unauthorized shell access to servers. Once inside, threat actors can pivot laterally, exfiltrate data, deploy malware or ransomware, and establish persistent backdoors. The repeated fail2ban violation patterns observed from IP 103.2.225.33 demonstrate methodical, sustained scanning behaviour rather than opportunistic probing—suggesting the operator is actively targeting vulnerable SSH endpoints at scale.
Site administrators should treat any inbound connection attempts from this address as hostile and block it at the network perimeter immediately. Implementing key-based authentication exclusively, disabling password-based SSH login entirely, and repositioning the SSH service to a non-standard port materially reduce the attack surface. Deploying or configuring fail2ban with strict ban thresholds will automatically block repeated authentication failures. Continuous monitoring of authentication logs for patterns consistent with brute-force activity and enforcing account lockout policies after a small number of failed attempts provide additional defensive layers against this class of threat.
FR 
PE 
CH 
GB 
HK