Threat-intelligence feed

SSH Client Attacks

Brute ForceLast verified 2026-05-09Page fetched Thu, 21 May 2026 14:38:44 GMT

SSH Client Attacks is a brute force threat-intelligence feed tracked by WhisperGraph as a FEED_SOURCE node. The Whisper Internet Directory publishes this page so security analysts and LLM agents can link to it as a stable record for SSH Client Attacks.

What is SSH Client Attacks

SSH Client Attacks is a feed of IP addresses observed by the DataPlane.org passive-sensor network as making client-initiated SSH connections to honeypots configured to look like attractive targets. Because the sensors do not advertise SSH services to legitimate clients, a connection from any IP is by definition either a scan or a brute-force attempt. The feed is most useful as a pre-authentication deny-list for production SSH gateways: blocking IPs that DataPlane has already seen scanning shaves off the loudest portion of attack traffic without complex log analysis. It is indexed here as a passive-sensor-grounded SSH-abuse reference.

Feed metadata

Display name: SSH Client Attacks
URL slug: ssh-client-attacks
Graph identifier: dataplane-sshclient
Category: Brute Force
Refresh cadence: hourly
Source: dataplane.org

Live graph data

FEED_SOURCE node confirmed. WhisperGraph carries this feed under the same category (Brute Force) as the editorial entry above. The graph identifier dataplane-sshclient matches the live f.id property.

Indicators currently listed

Live indicator listings: not yet available. WhisperGraph's LISTED_INedge is virtual and not enumerable from the feed side — there is no query-tractable way today to fetch the IPs and hostnames listed in this feed without first visiting every candidate indicator. Indicator-anchored queries work in the opposite direction (see the Cypher snippet below) and the directory's individual IP and host pages surface their feed memberships individually. Per-feed enumeration (an indicator count and sample of representative indicators) is on the roadmap.

Cypher and MCP

Look up which threat feeds list a given IP — the indicator-anchored query that powers the threat card:

MATCH (ip:IPV4 {name: $ip})-[:LISTED_IN]->(f:FEED_SOURCE)
WHERE f.name = "SSH Client Attacks"
WITH f
MATCH (f)-[:BELONGS_TO]->(c:CATEGORY)
RETURN f.name AS feed, c.name AS category

Verify the feed's graph-side identity directly:

MATCH (f:FEED_SOURCE {name: "SSH Client Attacks"})
OPTIONAL MATCH (f)-[:BELONGS_TO]->(c:CATEGORY)
RETURN f.id AS id, f.name AS name, c.name AS category

Or query Whisper from your own LLM workflow via the Whisper MCP server.

Pivot from SSH Client Attacks into adjacent entities.

What is SSH Client Attacks

Indicators currently listed

Cypher and MCP

Look up which threat feeds list a given IP — the indicator-anchored query that powers the threat card:

MATCH (ip:IPV4 {name: $ip})-[:LISTED_IN]->(f:FEED_SOURCE) WHERE f.name = "SSH Client Attacks" WITH f MATCH (f)-[:BELONGS_TO]->(c:CATEGORY) RETURN f.name AS feed, c.name AS category

Verify the feed's graph-side identity directly:

MATCH (f:FEED_SOURCE {name: "SSH Client Attacks"}) OPTIONAL MATCH (f)-[:BELONGS_TO]->(c:CATEGORY) RETURN f.id AS id, f.name AS name, c.name AS category

Or query Whisper from your own LLM workflow via the Whisper MCP server.

SSH Client Attacks

What is SSH Client Attacks

Feed metadata

Live graph data

Indicators currently listed

Cypher and MCP

Related pages

SSH Client Attacks

What is SSH Client Attacks

Feed metadata

Live graph data

Indicators currently listed

Cypher and MCP

Related pages