Elevated Risk
IP 87.121.84.126, registered to Vpsvault.host Ltd and operating within AS215925 in the United States, presents a high-risk threat profile with a threat level of 8 out of 10 and a confidence score of 97%, based on 259 total abuse reports submitted through automated honeypot sensors. This address was first and most recently reported in April 2026, indicating concentrated malicious activity within a narrow timeframe. The dominant threat vector is SSH brute-force attack activity, supported by secondary reports of general hacking and brute-force attempts against other services.
Community reports and honeypot telemetry consistently document repeated SSH brute-force password-guessing campaigns originating from this address. Fail2Ban sensor logs from multiple targeted systems recorded 26, 25, and 25 violations respectively attributed to sshd brute-force attempts, with an additional 5 recidive violations flagged for repeated offending across multiple detection jails. The cumulative volume of 259 reports and persistent activity pattern underscores a deliberate, automated campaign rather than opportunistic scanning. The network operator, Vpsvault.host Ltd, provides VPS infrastructure that is frequently leveraged for ephemeral attack infrastructure, making attribution challenging due to the transient nature of hosted services.
SSH brute-force attacks systematically attempt username and password combinations against exposed SSH daemons, exploiting weak or default credentials to gain unauthorized server access. Successful authentication grants attackers a foothold on targeted systems, enabling data exfiltration, lateral movement within networks, cryptocurrency mining deployment, or incorporation into botnets for distributed denial-of-service campaigns. The recidive offender status indicates this IP has been blocked previously yet continues probing from different source addresses or after IP rotation, demonstrating persistent intent despite countermeasures. Exposed SSH services on default port 22 with password-based authentication face immediate risk from this threat actor.
Site operators should block IP 87.121.84.126 at the firewall level and implement Fail2Ban to automatically ban repeated offenders after a configurable threshold of failed authentication attempts. Enforcing key-based SSH authentication exclusively, disabling root login, and changing the default SSH port significantly reduces attack surface. Deploying multi-factor authentication on all remote access services and implementing strict account lockout policies mitigates brute-force effectiveness. Continuous monitoring of authentication logs for patterns originating from this address and neighbouring infrastructure within AS215925 is recommended to identify escalation attempts early.
KR 
SC