Ssh Login Attempts - Stats and Patterns

linux ssh security

Pretty much as soon as you put a server on the internet, it starts getting attacked. My webservers are no different. A while back, I took a look at what sorts of ssh login attempts are being made against it; mostly for fun, but also to see what sorts of things we're up against.

This is a new analysis based on my mid-2023 auth logs.

Ssh Security Basics

I follow some best practices for running any public server:

As this data will show, these are all very useful!

This isn't everything that I'm doing, and there's much more comprehensive lists out there - make sure you're using defense in depth!


Keeping in mind that I'm blocking bruteforce attackers, which greatly reduces the volume, here's what I saw in a 2 week period:

Most-tried logins

The login user that's attempted most often, by a wide margin, is admin. This is because it's common, but also because it's near the start of bruteforce lists and fail2ban only kicks in after a few attempts. This was attempted thousands of times in a 2 week period.

I also see some distro default users (change that username/password before connecting to a network!!):

There's also a lot of service-specific users being attempted:

It's fun to see some gaming host servers in the list:

I'm seeing a fair number of CI/CD related users too; seems like lots of folks not securing their CI properly!

There's also some default passwords assuming a particular cloud provider, but not google as far as I can tell:

And of course the usual suspects of likely-to-exist accounts:

Some usernames that seem like problems with the generation of the bruteforce lists:

Interestingly, the bruteforce list is a lot more multilingual these days:

Conclusion: Fail2ban and Key-only Auth Work

The bulk of the bruteforce users were only able to be tried a handful of times, because the attackers are mainly hitting from a small number of IP addresses, and fail2ban catches them fast. Using only ssh key auth makes sure that none of these attempts even have a chance of succeeding.