Ssh Login Attempts - Stats and Patterns

Pretty much as soon as you put a server on the internet, it starts getting attacked. My webservers are no different. A while back, I took a look at what sorts of ssh login attempts are being made against it; mostly for fun, but also to see what sorts of things we're up against.

This is a new analysis based on my mid-2023 auth logs.

Ssh Security Basics

I follow some best practices for running any public server:

• don't expose any ports/services that you don't need to
• disable remote root login
• disable password login entirely
• run a firewall, restrict as much traffic as you can
• run software like fail2ban, to limit the effectiveness of brute-force attacks

As this data will show, these are all very useful!

This isn't everything that I'm doing, and there's much more comprehensive lists out there - make sure you're using defense in depth!

Stats

Keeping in mind that I'm blocking bruteforce attackers, which greatly reduces the volume, here's what I saw in a 2 week period:

• 1700+ unique usernames attempted
• about 100 of those were tried more than 10 times
  • (or allowed to be tried)

Most-tried logins

The login user that's attempted most often, by a wide margin, is admin. This is because it's common, but also because it's near the start of bruteforce lists and fail2ban only kicks in after a few attempts. This was attempted thousands of times in a 2 week period.

I also see some distro default users (change that username/password before connecting to a network!!):

• ubuntu
• pi
• raspberry
• debian
• ubnt (would work on a Unifi gateway console with a default password)
• centos
• redhat
• steam

There's also a lot of service-specific users being attempted:

• postgres
• ftpuser
• oracle (or this might be because of an oracle distro?)
• bitrix
• dbadmin
• mysql
• hadoop
• prometheus
• git
• odoo
• wordpress
• and many more

It's fun to see some gaming host servers in the list:

• csgoserver
• minecraft

I'm seeing a fair number of CI/CD related users too; seems like lots of folks not securing their CI properly!

• jenkins
• bitrise
• ansible
• vagrant
• docker
• rancher

There's also some default passwords assuming a particular cloud provider, but not google as far as I can tell:

• azuredevops
• amazon

And of course the usual suspects of likely-to-exist accounts:

• user
• test
• user2
• guest

Some usernames that seem like problems with the generation of the bruteforce lists:

• error
• unknown
• .syslog

Interestingly, the bruteforce list is a lot more multilingual these days:

• administracion
• contador
• contabilidad
• biblioteca

Conclusion: Fail2ban and Key-only Auth Work

The bulk of the bruteforce users were only able to be tried a handful of times, because the attackers are mainly hitting from a small number of IP addresses, and fail2ban catches them fast. Using only ssh key auth makes sure that none of these attempts even have a chance of succeeding.