Extreme Threat
IP 213.209.159.159 presents a maximum threat level of 10/10 and is flagged as a high-risk address actively engaged in SSH brute-force attacks and broader hacking activity, with 2,704 abuse reports logged across automated honeypot sensors between January and April 2026. The volume and consistency of reports, combined with an activity frequency rating of 8/10, indicate this is not an isolated incident but an ongoing, sustained campaign targeting exposed SSH services worldwide.
The IP is registered to Dgn Teknoloji A.s. operating under ASN AS43260 in Germany, according to routing and registration data. Detection sources recorded 20 automated honeypot reports across three distinct threat categories: SSH brute-force attempts, general hacking activity, and notably, three separate "Exploited Host" designations suggesting this infrastructure may itself be compromised and weaponised for further attacks. The attack patterns observed include Suricata alerts signalling active SSH sessions in progress on expected ports followed by brute-force authentication attempts, with evidence that some of these sessions were subsequently exploited — indicating both offensive capability and potential compromise of the attacking host itself.
SSH brute-force attacks represent one of the most common and effective initial access vectors used by threat actors to gain unauthorised entry into Linux servers and network appliances. Repeated authentication attempts against exposed SSH daemons can successfully compromise weakly configured systems using default credentials or trivial passwords, enabling data exfiltration, lateral movement within networks, or deployment of secondary payloads such as cryptocurrency miners and ransomware. The "Exploited Host" classification for this IP suggests the attacking infrastructure itself may be compromised, meaning the operator of AS43260 should likely be notified of a potential security breach affecting their own network.
Site operators running publicly accessible SSH services should immediately block IP 213.209.159.159 at the firewall level and implement fail2ban or equivalent tools to automatically ban repeated authentication failures. Transition to key-based authentication exclusively, disable root login over SSH, and consider moving the service to a non-standard port to reduce surface exposure. Regular auditing of authentication logs for this IP address and similar source ranges will help identify any successful compromise attempts. If this IP has been observed connecting to internal resources, a full security review of affected systems is strongly advised.
TW 
CH 
RO 
BG 
CA 
UA