Comment by encom

6 days ago

Here's an amusing thing to try on anything with SSH exposed. These log files go back a month.

  # zcat -f /var/log/auth.log* | awk '/sshd/ && /Invalid user/ && $6 != "from" {print $6}' | sort | uniq -c | sort -bnr | head -n 30
     5190 #redacted: my domain name
     3063 admin
     1891 #redacted: another domain name
      931 user
      724 ubuntu
      287 test
      268 solv
      206 odoo15
      200 solana
      197 sol
      184 ubnt
      173 wialon
      170 Antminer
      169 guest
      168 odoo17
      159 oracle
      157 postgres
      151 git
      150 support
      142 ftp
      135 ftpuser
      120 debian
      118 pi
       91 nginx
       85 baikal
       82 docker
       81 perl
       74 operator
       74 deploy
       72 dev

10 comments

encom

eythian 6 days ago

Interestingly, I have a server that only has IPv6 SSH open to the outside world, and it has exactly zero that aren't me fat-fingering a password. It does have an externally visible hostname, which says to me that the bots aren't looking at hostnames for SSH, just IP(v4) addresses.

71bw 6 days ago

Meanwhile on my publicly available Oracle VPS...

  22307 admin
  19668 user
  15396 ubuntu
   7038 user2
   6954 test
   6375 debian
   3938 ftpuser
   3433 postgres
   3416 oracle
   3076 deploy
   3003 steam
   2917 user1
   2830 dev
   2570 test1
   2352 es
   2187 server
   1957 hadoop
   1680 alex
   1676 guest
   1517 testuser
   1494 sammy
   1392 mysql
   1228 minecraft
   1218 pi
   1184 support
   1148 sysadmin
   1140 ubnt
   1120 from
   1090 123456
   1035 test2

rwmj 6 days ago

I'm wondering what 'seekcy' is. Possibly a Chinese security product?

  $ journalctl | awk '/sshd/ && /Invalid user/ && $6 != "from" {print $8}' | sort | uniq -c | sort -bnr | head -n 30
     34 admin
     26 oracle
     21 postgres
     20 user
     18 test
     18 seekcy
     17 ftpuser
     15 ubuntu
     15 inspur
      9 zabbix
      8 nginx
      8 mysql
      8 jenkins
      8 hadoop
      7 server
      7 nagios
      6 teste
      6 amax
      5 support
      5 backup
      5 administrator
      4 git
      4 demo
      4 a
      3 zyfwp
      3 usuario
      3 tomcat
      3 testuser
      3 test1
      3 teamspeak

mewpmewp2 6 days ago

Googling it points to a Chinese IoT company, so I am thinking maybe they have some IoT software with known vulnerability where they have seekcy as the ssh username that is being actively scanned for.

motorest 6 days ago

> 118 pi

I wonder why this features so low in the list. The default user:pass combo for Raspbian/Raspberry Pi OS is pi:raspberry

https://forums.raspberrypi.com/viewtopic.php?t=151745

NicolaiS 6 days ago

was pi: raspberry, but it was changed a long time ago to have no default user:pass
mewpmewp2 6 days ago

Wouldn't say it is low if it is within the top 20 amongst other very popular services.

1718627440 6 days ago

I'm surprised there is no root there? In my experience this is by far the most common.

encom 6 days ago
I'm almost certain SSH does not allow root login by default.
- 1718627440 5 days ago
  
  Yes, and it is disabled on my servers and I'm glad for this, because it still seams to be the most common in my logs.