Maximum Danger
IP 185.217.0.130 is a high-risk address operating from Swedish network infrastructure (AS42237, w1n ltd) that presents a serious threat to any publicly accessible SSH service, accumulating 717 total abuse reports across automated honeypot sensors in approximately two months with a perfect 10/10 threat-level rating.
The overwhelming majority of detections from those automated honeypot sensors—40 combined reports referencing Hacking and SSH activity—consistently describe active SSH brute-force attempts and sessions in progress on expected SSH ports, alongside 2 additional reports classifying this address as an Exploited Host. The geographic origin in Sweden and its assignment to a commercial network operator rather than a consumer ISP further suggests this infrastructure may be deliberately provisioned for hostile scanning activity rather than representing an unknowingly compromised end-user machine. Despite the 0/10 activity-frequency metric suggesting episodic rather than constant engagement, the sheer volume of independent reports within a compressed February–March 2026 window establishes a persistent, deliberate pattern of automated credential-attack behaviour against SSH targets.
SSH brute-force attacks remain one of the most common initial-access vectors for threat actors, using automated tooling to cycle through username and password combinations until valid credentials are discovered. Even when individual attempts fail, the sheer volume can expose weak or default credentials, enable lateral movement within a network, or serve as a precursor to more sophisticated exploitation. The dual classification as both an active attacker and an Exploited Host indicates that automated honeypot sensors have observed this address both launching attacks and exhibiting characteristics consistent with a machine being used as an attack platform, which broadens the risk beyond a single vector.
Operators with internet-facing SSH services should treat 185.217.0.130 as an unambiguous block candidate: deny ingress from this address at the network perimeter firewall or web application firewall, and monitor for any inbound connection attempts as a leading indicator of broader scanning from the same network range. Hardening measures such as enforcing key-based authentication exclusively, relocating SSH to a non-standard port, disabling root login, and deploying dynamic threat-blocking tools like fail2ban or similar brute-force mitigation packages will substantially reduce the effectiveness of any credential-guessing campaign from this source or its peers.
FR 
HK 
VN