High Risk
IP 87.121.84.127 is a high-risk address associated with persistent SSH brute-force intrusion activity, assessed at an 8/10 threat level with 97% confidence based on 195 incident reports from automated honeypot sensors. The IP, registered to Vpsvault.host Ltd operating within AS215925 in the United States, has demonstrated a clear pattern of sustained authentication attacks targeting secure shell services, with additional general hacking and brute-force activity logged across the detection network during April 2026.
Detection data reveals that 20 separate honeypot sensors across the network recorded interactions with this address, generating a substantial volume of abuse reports concentrated within the April 2026 timeframe. The attack pattern notes extracted from blocked sessions show escalating violation counts per incident, with individual honeypot blocks recording between 5 and 181 violations. Critically, the recidive detection flags indicate this actor repeatedly breached perimeter defenses and triggered multi-jail blocks, suggesting the source continues attempting connections despite systematic banning. The activity frequency rating of 3/10 combined with the high report count suggests infrequent but determined targeting rather than opportunistic scanning.
SSH brute-force attacks represent one of the most common initial access vectors for unauthorized server compromise, with automated tooling capable of testing thousands of credential combinations per hour against exposed authentication interfaces. The real-world risk from an IP exhibiting this behavior is unauthorized administrative access to any improperly secured Linux or network infrastructure with SSH exposed to the internet, potentially leading to data exfiltration, malware deployment, or use of the compromised host as a pivot point for further network intrusion. The persistent recidive behavior observed indicates this actor operates tooling configured to circumvent standard blocking mechanisms.
Site operators should immediately block IP 87.121.84.127 at the network perimeter firewall level given its confirmed malicious status. Implementing key-based authentication exclusively for SSH access and disabling password-based authentication eliminates the attack vector these attempts exploit. Deploying tools such as fail2ban with aggressive recidive policies and reduced ban durations disrupts automated retry cycles. Additionally, relocating SSH to a non-standard port reduces exposure to opportunistic scanning, and enforcing multi-factor authentication for any remaining password-authenticated accounts provides a critical defense layer against credential-guessing campaigns of this nature.
KR 
SC