Notable Threat
IP 130.12.181.106 is a high-risk address assessed at 8 out of 10 threat level, with 94% confidence based on 1,315 total abuse reports submitted over a six-month observation window between January and June 2026. The IP originates from Germany and operates within AS36680 under Netiface LLC, and it has been flagged almost exclusively for hacking activity, specifically targeting SSH services. With an activity frequency rated 8 out of 10, this address demonstrates persistent, high-volume intrusion behavior that poses a significant risk to any exposed SSH daemon listening on the default port.
The detection data stems from 20 automated honeypot sensors distributed across the network, which collectively logged the repeated SSH session establishment attempts attributed to 130.12.181.106. The pattern of activity observed includes Suricata alerts matching the "ET INFO SSH session in progress on Expected Port" signature, indicating the source is actively probing for accessible SSH services. The sustained volume of reports over six months, combined with the near-identical nature of each categorization as hacking, strongly suggests automated tooling is driving this behavior rather than opportunistic manual scanning.
Hacking activity targeting SSH represents one of the most common initial access vectors for threat actors seeking to compromise servers. An attacker successfully brute-forcing or credential-stuffing a weak SSH password can gain shell access to a target system, potentially escalating privileges and deploying persistent backdoors or exfiltrating data. The fact that this IP is conducting these sessions from a commercial German network operator rather than a known bulletproof hosting provider adds a layer of obfuscation, as the traffic may blend with legitimate administrative activity if not actively monitored.
Site operators exposing SSH to the internet should treat 130.12.181.106 as a confirmed malicious source and block it at the network perimeter. Enforcing key-based authentication exclusively, disabling password authentication outright, and implementing fail2ban or similar dynamic blocking tools will substantially reduce the success rate of these attempts. Rate-limiting incoming connections on port 22 and deploying intrusion detection rules to flag repeated authentication failures will further harden the attack surface against persistent scanners of this kind.
SI 
AE 
RO 
FR 
SE 
TR