Severe Risk
IP 196.251.69.107 is a maximum-threat-level address operated by CHEAPY-HOST and linked to 663 reported SSH intrusion attempts, representing a persistent credential-guessing threat to exposed Linux servers. Despite a notably low recent activity frequency score of zero out of ten, the accumulated report volume and consistent targeting of Secure Shell services establish this IP as a serious, well-documented risk in public IP reputation databases. The address originates from Seychelles and was first documented in August 2025, with the most recent automated honeypot detections occurring through November 2025.
The 663 incident reports attributed to 196.251.69.107 represent an exceptionally high volume for automated sensor detections, indicating sustained, methodical scanning behaviour rather than opportunistic burst activity. All twenty of the most recent report entries categorise the threat exclusively under SSH, confirming a narrow but determined focus on Secure Shell attack vectors. The 69% confidence score reflects that while detection sources consistently flag this address, attribution remains probabilistic rather than absolute, likely due to the IP potentially traversing proxy or network address translation infrastructure. The disconnect between the extreme 10/10 threat rating and the 0/10 recent activity frequency suggests either recent mitigation efforts against this host or a temporary lull in its active scanning operations.
SSH brute-force and dictionary attacks exploit one of the most critical infrastructure surfaces on any Linux or Unix-style server. Attackers systematically iterate through username and password combinations to compromise accounts lacking key-based authentication, potentially gaining persistent server-level access, lateral movement opportunities within networks, or a stable foothold for cryptomining and data exfiltration. The detection of this specific IP targeting SSH services across multiple honeypot sensors confirms it as part of an automated attack campaign, likely coordinated by botnet infrastructure rather than manual probing.
Administrators with exposed SSH services should immediately block 196.251.69.107 at the network perimeter firewall or via access control lists, and monitor logs for any successful authentication from this address. Hardening measures including disabling password-based authentication in favour of asymmetric cryptographic keys, moving SSH to a non-standard port, and enforcing fail2ban or similar dynamic blocklist tools with aggressive SSH-d policy thresholds will substantially reduce exposure. Rate-limiting incoming connections per source IP and enforcing strong passphrase policies with account lockout thresholds provide additional defence-in-depth against the credential-guessing pattern this address has demonstrated.
NL 
FR 
HK 
PE 
CH 
GB