A while back, when I was relatively new to running a VPS (I’m still new, but I’m less new than I was then), I was looking through my sshd logs and noticed that I was getting a ton of malicious login attempts. This initially freaked me out a bit and I wasn’t sure what to make of it.

Eventually I learned more about how to properly secure my server and in the process, I ended up having some fun with the logs. They included the usernames that the attackers were trying to log in with. Some of these names seemed strange to me so I took a closer look in order to find out which usernames were most commonly attempted.

I thought the results were pretty interesting, so I’m going to share them with you here. First, I’m going to walk you through the steps I took to find this list of commonly attempted username, but you’d can skip this and scroll to the bottom if you’d just like to see the list I found.

Finding the List of Names

The steps to find a list of invalid usernames like this are pretty simple and straightforward, but might not be clear or obvious to someone new to using unix command line tools. (They would have seemed like magic to me a few years ago!) For those that are new and curious, I’m going to walk through each step and explain how I found the list.

I run sshd under systemd, and if you run a recent version of a major Linux distribution on your server, you probably do too. You can view logs from services running under systemd using journalctl , so we can view the ssh logs with

$ journalctl -u ssh

which will show you way more than you need for this exercise.

We can filter the journalctl output to just the lines we care about (those containing the string “Invalid user”), using grep :

$ journalctl -u ssh | grep 'Invalid user' Apr 17 15 :51:33 sshd [ 28910 ] : Invalid user danny from 52 .20.58.3 port 58067 Apr 17 16 :22:48 sshd [ 29393 ] : Invalid user t7inst from 195 .133.234.67 port 48641 Apr 17 16 :42:45 sshd [ 29720 ] : Invalid user zimbra from 139 .99.122.129 port 49362 ...

Now we’re just looking at logs of login attempts with invalid usernames.

All we care about are the usernames, so let’s cut those out using cut :

$ journalctl -u ssh | grep 'Invalid user' | cut -d ' ' -f 8 danny t7inst zimbra ...

This should print out a big list of all the invalid usernames, in the order that they appear in the logs, but this list is too long, it contains a bunch of duplicates, and it’s not sorted in an order that we care about.

Fortunately for us, there are standard tools for fixing all of these problems!

First we sort the names ( sort ). Then we filter out duplicates ( uniq ) and print a count of how many times each name occurred next to each name ( -c ). Next we sort again, this time numerically rather than alphabetically ( -n ), and in reverse so that the highest numbers are at the top ( -r ). Finally, we take just the top 25 names ( head -n 25 ).

$ journalctl -u ssh | grep 'Invalid user' | cut -d ' ' -f 8 \ | sort | uniq -c | sort -nr | head -n 25 2563 admin 745 user 658 support ...

And that’s it! Just pipe the logs through a few different tools and you’ve got the list.

Results

These were the top results when I ran this on my server:

2563 admin 745 user 658 support 483 test 323 ubnt 213 guest 207 tech 202 oracle 200 operator 196 manager 158 webadmin 151 ftpuser 148 pi 105 vnc 105 naigos 100 ubuntu 97 student 94 user1 93 debian 78 administrator 74 PlcmSpIp 74 backup 72 demo 58 test1 58 mysql 53 testuser 51 shoutcast

Based on that list, my guess is that those are all default usernames for different systems that attackers have found the most success with. I haven’t talked with many other people that manage small servers for blogs and personal projects like mine to find out if these numbers are common, but I assume that they are normal for other publicly accessible servers.

Security Considerations

Looking into this frightened me at first and made me worried about the security of my server. I’ve learned more about security since then, and while I’m still far from an expert, I know enough about my system now that I’m not worried about login attempts like these.

(I’m embarrassed to say this now, but one of the first things I did after making this list the first time was grep for my actual username. I felt a bit of relief to know that no one had tried my actual username when it didn’t come up, until I realized that I would have already filtered out my username earlier with grep 'Invalid user' …facepalm.)

A couple security techniques I’m using now are not allowing password login, using Fail2Ban, and using a custom PAM module I made that texts my phone whenever someone remotely logs in to my server (I plan to write a post about this one soon).