See which user accounts hackers try to access on your server the most

Everyone knows that script kiddies are constantly bombarding servers with login requests, attempting to get access to an account which you might have secured with a stupid password. I was curious to find out which accounts they were attempting to login as, and more importantly, if any of these accounts were actual accounts I knew of.

I couldn't find anything on the internets, but I was able to cobble together the following (overly) complex command:

sudo cat /var/log/auth.log | grep -oEi "Invalid user ([a-zA-Z0-9]+)" \
  | colrm 1 13 | sort | uniq -c | sort -h

If you'd like an explanation, check out the command breakdown on Explain Shell.

Here are some of the more popular accounts people attempt to login as:

30 ftpuser
33 astrid
33 autumn
33 bailey
36 avalon
36 testuser
39 git
42 bezhan
42 test
45 admin
45 asuka
45 auction
45 bar
45 bella
48 bbs
54 bandit
57 bind
57 oracle
63 nagios
69 au
78 ben
87 ftp
93 bill
864 ftptest

If you know of a better way to format this command (I have a feeling the length can be cut in half) leave a comment!

Thomas Hunter II Avatar

Thomas is the author of Advanced Microservices and is a prolific public speaker with a passion for reducing complex problems into simple language and diagrams. His career includes working at Fortune 50's in the Midwest, co-founding a successful startup, and everything in between.