Threat-intelligence feed

SSH Password Auth

Brute ForceLast verified 2026-05-09Page fetched Wed, 20 May 2026 13:43:20 GMT

SSH Password Auth is a brute force threat-intelligence feed tracked by WhisperGraph as a FEED_SOURCE node. The Whisper Internet Directory publishes this page so security analysts and LLM agents can link to it as a stable record for SSH Password Auth.

What is SSH Password Auth

SSH Password Auth is the DataPlane.org companion feed to SSH Client Attacks, narrowed to IPs observed completing the SSH handshake and attempting password-based authentication against honeypot SSH services. Password-auth is a stronger signal than connection-only because it requires the attacker's tooling to actually present credentials — so the feed has a higher attack-confidence than scanner-only lists. Operators deploy it as a pre-authentication deny-list and as a SIEM enrichment overlay for production SSH log analysis. It is indexed here because the DataPlane.org methodology is well-documented and reproducible, making it useful as an academic-research baseline.

Feed metadata

Display name: SSH Password Auth
URL slug: ssh-password-auth
Graph identifier: dataplane-sshpwauth
Category: Brute Force
Refresh cadence: hourly
Source: dataplane.org

Live graph data

FEED_SOURCE node confirmed. WhisperGraph carries this feed under the same category (Brute Force) as the editorial entry above. The graph identifier dataplane-sshpwauth matches the live f.id property.

Indicators currently listed

Live indicator listings: not yet available. WhisperGraph's LISTED_INedge is virtual and not enumerable from the feed side — there is no query-tractable way today to fetch the IPs and hostnames listed in this feed without first visiting every candidate indicator. Indicator-anchored queries work in the opposite direction (see the Cypher snippet below) and the directory's individual IP and host pages surface their feed memberships individually. Per-feed enumeration (an indicator count and sample of representative indicators) is on the roadmap.

Cypher and MCP

Look up which threat feeds list a given IP — the indicator-anchored query that powers the threat card:

MATCH (ip:IPV4 {name: $ip})-[:LISTED_IN]->(f:FEED_SOURCE)
WHERE f.name = "SSH Password Auth"
WITH f
MATCH (f)-[:BELONGS_TO]->(c:CATEGORY)
RETURN f.name AS feed, c.name AS category

Verify the feed's graph-side identity directly:

MATCH (f:FEED_SOURCE {name: "SSH Password Auth"})
OPTIONAL MATCH (f)-[:BELONGS_TO]->(c:CATEGORY)
RETURN f.id AS id, f.name AS name, c.name AS category

Or query Whisper from your own LLM workflow via the Whisper MCP server.

Pivot from SSH Password Auth into adjacent entities.

What is SSH Password Auth

Indicators currently listed

Cypher and MCP

Look up which threat feeds list a given IP — the indicator-anchored query that powers the threat card:

MATCH (ip:IPV4 {name: $ip})-[:LISTED_IN]->(f:FEED_SOURCE) WHERE f.name = "SSH Password Auth" WITH f MATCH (f)-[:BELONGS_TO]->(c:CATEGORY) RETURN f.name AS feed, c.name AS category

Verify the feed's graph-side identity directly:

MATCH (f:FEED_SOURCE {name: "SSH Password Auth"}) OPTIONAL MATCH (f)-[:BELONGS_TO]->(c:CATEGORY) RETURN f.id AS id, f.name AS name, c.name AS category

Or query Whisper from your own LLM workflow via the Whisper MCP server.

SSH Password Auth

What is SSH Password Auth

Feed metadata

Live graph data

Indicators currently listed

Cypher and MCP

Related pages

SSH Password Auth

What is SSH Password Auth

Feed metadata

Live graph data

Indicators currently listed

Cypher and MCP

Related pages