See which user accounts hackers try to access on your server the most

Multithreaded JavaScript, O'Reilly 2021, has been published!

Everyone knows that script kiddies are constantly bombarding servers with login requests, attempting to get access to an account which you might have secured with a stupid password. I was curious to find out which accounts they were attempting to login as, and more importantly, if any of these accounts were actual accounts I knew of.

I couldn't find anything on the internets, but I was able to cobble together the following (overly) complex command:

sudo cat /var/log/auth.log | grep -oEi "Invalid user ([a-zA-Z0-9]+)" \
  | colrm 1 13 | sort | uniq -c | sort -h

If you'd like an explanation, check out the command breakdown on Explain Shell.

Here are some of the more popular accounts people attempt to login as:

30 ftpuser
33 astrid
33 autumn
33 bailey
36 avalon
36 testuser
39 git
42 bezhan
42 test
45 admin
45 asuka
45 auction
45 bar
45 bella
48 bbs
54 bandit
57 bind
57 oracle
63 nagios
69 au
78 ben
87 ftp
93 bill
864 ftptest

If you know of a better way to format this command (I have a feeling the length can be cut in half) leave a comment!

Thomas Hunter II Avatar

Thomas has contributed to dozens of enterprise Node.js services and has worked for a company dedicated to securing Node.js. He has spoken at several conferences on Node.js and JavaScript, is an O'Reilly published author, and is an organizer of NodeSchool SF.