Top 10 usernames used in SSH brute force


As a follow up to yesterday's post I thought it would be interesting to know statistics of the usernames used in those brute force probes. Find below awk/sed script to get usernames for failed ssh login attempts from OpenSSH daemon and sort it for statistics. Also I attach the list of the usernames I got from my server. The full list of usernames can be found at the end.

The script:

awk  '/Failed password for/  '  /var/log/secure*  | sed  's/.* \([[:print:]]\+\) from .*/  \1  /g ' | sort | uniq -c | sort -n -k1

And the winners are: The table listing top 10 usernames used in real cracking attampts on SSH service

Username Number of times seen
mysql 232
info 252
postgres 317
guest 435
nagios 452
user 459
oracle 598
admin 884
test 1017
root 22058

Full list of the usernames Usernames.log

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.