Top 10 usernames used in SSH brute force


In continuation to yesterday's post I thought it would be interesting to know statistics of the usernames used in those bruteforce probes.Find below awk/sed script to get usernames for failed ssh login attempts and sort it for statistics and also list of the usernames I got from my server. The full list of usernames can be found at the end. The script:

awk  '/Failed password for/  '  /var/log/secure*  | sed  's/.* \([[:print:]]\+\) from .*/  \1  /g ' | sort | uniq -c | sort -n -k1

And the winners are: The table listing top 10 usernames used in real cracking attampts on SSH service

Username Number of times seen
mysql 232
info 252
postgres 317
guest 435
nagios 452
user 459
oracle 598
admin 884
test 1017
root 22058

Full list of the usernames Usernames.log