See which user accounts hackers try to access on your server the most

Everyone knows that script kiddies are constantly bombarding servers with login requests, attempting to get access to an account which you might have secured with a stupid password. I was curious to find out which accounts they were attempting to login as, and more importantly, if any of these accounts were actual accounts I knew of.

I couldn't find anything on the internets, but I was able to cobble together the following (overly) complex command:

sudo cat /var/log/auth.log | grep -oEi "Invalid user ([a-zA-Z0-9]+)" \ | colrm 1 13 | sort | uniq -c | sort -h

If you'd like an explanation, check out the command breakdown on Explain Shell.

Here are some of the more popular accounts people attempt to login as:

30 ftpuser 33 astrid 33 autumn 33 bailey 36 avalon 36 testuser 39 git 42 bezhan 42 test 45 admin 45 asuka 45 auction 45 bar 45 bella 48 bbs 54 bandit 57 bind 57 oracle 63 nagios 69 au 78 ben 87 ftp 93 bill 864 ftptest

If you know of a better way to format this command (I have a feeling the length can be cut in half) leave a comment!