Many computer users have heard of lists of bad passwords that have been pulled from hacked web sites. Today I was watching tcpdump as an SSH attack was underway and I wondered if there are some particularly bad usernames for accounts.
To find out I scanned through the /var/log/secure file for "Invalid user"
entries. The following is a list of all entries I found which were
tried 6 or more times.
-
6 - alex, amanda, angel, app, applmgr, dasusr1, david, db2admin, db2inst1, debian, jordan, joshua, lenovo, leo, lucas, monitoring, prueba, r00t, temp, vps, webadmin
-
7 - adam, cmsftp, jira, john, matt, student, tom
-
8 - ADMIN, andrew, dms, jack, odoo, support
-
9 - a, austin, info, pi, ts3, www-data
-
10 - backup, demo, dspace, jenkins,
-
11 - charles, guest, www, zabbix
-
12 - cisco, richard, ubnt, ubuntu, vnc
-
15 - tomcat, user
-
18 - deploy, ftpuser
-
19 - account
-
20 - nagios
-
23 - git
-
26 - hadoop
-
29 - postgres
-
36 - test
-
37 - oracle
-
59 - admin
-
110 - ucsd
My SSH server is not set to "PermitRootLogin" or I’m sure "root" would have been quite popular, perhaps even the most popular.
There were some weird things like 10 instances of this.
\344\344\344\344\344\344\344\344\344\344\344\344\344
I learned many things from this exercise but three stand out. First, be very careful about using certain software products (Oracle, Postgres, Hadoop, Git, Nagios, Tomcat, Cisco); they may be targeted more frequently and perhaps there’s a reason for that. Second avoid generic things like admin, test, account, user, backup, student, temp. Finally, never use your domain name for an account name (e.g. ewidgets@ewidgets.com). This machine had a ucsd.edu address.
If you want to play this game yourself and you have a Linux SSH server open to the world, this command will make the list.
grep "Invalid user " /var/log/secure | awk '{print $8}' | sort | uniq -c | sort -nUPDATE 2020-10-30
This works on modern Debian systems.
sudo grep "Invalid" /var/log/auth.log | grep -v COMMAND | cut -d' ' -f8 | sort | uniq -c | sort -n