A while back, when I was relatively new to running a VPS (I’m still new, but I’m less new than I was then), I was looking through my sshd logs and noticed that I was getting a ton of malicious login attempts. This initially freaked me out a bit and I wasn’t sure what to make of it.
Eventually I learned more about how to properly secure my server and in the process, I ended up having some fun with the logs. They included the usernames that the attackers were trying to log in with. Some of these names seemed strange to me so I took a closer look in order to find out which usernames were most commonly attempted.
I thought the results were pretty interesting, so I’m going to share them with you here. First, I’m going to walk you through the steps I took to find this list of commonly attempted username, but you’d can skip this and scroll to the bottom if you’d just like to see the list I found.
Finding the List of Names
The steps to find a list of invalid usernames like this are pretty simple and straightforward, but might not be clear or obvious to someone new to using unix command line tools. (They would have seemed like magic to me a few years ago!) For those that are new and curious, I’m going to walk through each step and explain how I found the list.
I run sshd under systemd,
and if you run a recent version of a major Linux distribution on your server,
you probably do too.
You can view logs from services running under systemd using journalctl,
so we can view the ssh logs with
$ journalctl -u ssh
which will show you way more than you need for this exercise.
We can filter the journalctl output to just the lines we
care about (those containing the string “Invalid user”),
using grep:
$ journalctl -u ssh | grep 'Invalid user'
Apr 17 15:51:33 sshd[28910]: Invalid user danny from 52.20.58.3 port 58067
Apr 17 16:22:48 sshd[29393]: Invalid user t7inst from 195.133.234.67 port 48641
Apr 17 16:42:45 sshd[29720]: Invalid user zimbra from 139.99.122.129 port 49362
...
Now we’re just looking at logs of login attempts with invalid usernames.
All we care about are the usernames,
so let’s cut those out using cut:
$ journalctl -u ssh | grep 'Invalid user' | cut -d ' ' -f 8
danny
t7inst
zimbra
...
This should print out a big list of all the invalid usernames, in the order that they appear in the logs, but this list is too long, it contains a bunch of duplicates, and it’s not sorted in an order that we care about.
Fortunately for us, there are standard tools for fixing all of these problems!
- First we sort the names (
sort). - Then we filter out duplicates (
uniq) and print a count of how many times each name occurred next to each name (-c). - Next we sort again,
this time numerically rather than alphabetically (
-n), and in reverse so that the highest numbers are at the top (-r). - Finally, we take just the top 25 names (
head -n 25).
$ journalctl -u ssh | grep 'Invalid user' | cut -d ' ' -f 8 \
| sort | uniq -c | sort -nr | head -n 25
2563 admin
745 user
658 support
...
And that’s it! Just pipe the logs through a few different tools and you’ve got the list.
Results
These were the top results when I ran this on my server:
2563 admin
745 user
658 support
483 test
323 ubnt
213 guest
207 tech
202 oracle
200 operator
196 manager
158 webadmin
151 ftpuser
148 pi
105 vnc
105 naigos
100 ubuntu
97 student
94 user1
93 debian
78 administrator
74 PlcmSpIp
74 backup
72 demo
58 test1
58 mysql
53 testuser
51 shoutcast
Based on that list, my guess is that those are all default usernames for different systems that attackers have found the most success with. I haven’t talked with many other people that manage small servers for blogs and personal projects like mine to find out if these numbers are common, but I assume that they are normal for other publicly accessible servers.
Security Considerations
Looking into this frightened me at first and made me worried about the security of my server. I’ve learned more about security since then, and while I’m still far from an expert, I know enough about my system now that I’m not worried about login attempts like these.
(I’m embarrassed to say this now, but
one of the first things I did after making this list the first time was
grep for my actual username.
I felt a bit of relief to know that no one had tried my actual username
when it didn’t come up,
until I realized that I would have already filtered out my username earlier
with grep 'Invalid user' …facepalm.)
A couple security techniques I’m using now are not allowing password login, using Fail2Ban, and using a custom PAM module I made that texts my phone whenever someone remotely logs in to my server (I plan to write a post about this one soon).
Looking at logs can actually be pretty fun!
This will sound pretty elementary to any experienced sysadmin,
but if you are just getting started with this kind of thing,
try playing around with journalctl
and digging through /var/log to
see if you can find anything interesting.