The Top 15 Account Names Used For Malicious SSH Login Attempts

As many of you are aware, HexHound recently moved to new hosting. It comes as no surprise that there are bad actors out there with nothing better to do than attempt to compromise the server; what is surprising to me is the frequency of the malicious login attempts, especially considering a warning banner is posted. Thankfully I did harden this server prior to publishing it to the web and the banner doesn’t lie – logging is setup and I do report malicious IPs.

banner

One step I didn’t take while hardening the server is moving SSH to an alternate port. I have several reasons for this –

  1. I don’t believe in security through obscurity.
  2. There are security risks to moving a service to a high port as ports >1023 are not privileged in Linux.
  3. Applications sometimes misbehave when a service is running on an unexpected port.
  4. It is hard to remember the port number.

Nevertheless, I have addressed the situation as the activity I have observed is simply obnoxious. The results below, in some ways, are due to this system functioning as an unintentional honey pot and were largely collected during the period of 2/15/2015-2/24/2015.

The Top 15 Observed Account Names

Place Account Name Number of Login Attempts
1 root 26899
2 user 5011
3 test 478
4 nagios 456
5 git 380
6 zabbix 301
7 teamspeak 266
8 oracle 251
9 minecraft 243
10 postgres 217
11 apache 208
12 developer 207
13 ts / tomcat 201 (tie)
15 jenkins 183

Clearly root is by far and away the winner here. What’s really interesting is how this compares to the results compiled by Symantec.

Here’s Symantec’s list, with my place numbers listed next to theirs’. I have extended the places to beyond 15 for more insight.

Place Account Name Number of Login Attempts HexHound Place
1 root 1049  1
2 admin 97  34
3 test 87  3
4 guest 40  17
5 mysql 31  59
6 info 30  36
7 oracle 27  8
8 postgres 27  10
9 testing 27  187
10 webmaster 27  166
11 paul 25
12 web 24  85
13 user 23  2
14 tester 22  188
15 pgsql 21

Key Takeaways

Again, it is no surprise that “root” is number one on both lists. Always, ALWAYS disable root login over SSH. If an adversary gets root access, it is gameover as root is the all-powerful user on *nix based systems. Even worse, actions taken by root are often not logged. This is one of the reasons to evoke “sudo” for privilege escalation – all those commands are logged! If possible, logs should be forwarded to another protected server so that even if the target server were compromised, you will know exactly what commands were run.

Default and developer test accounts should also be closely monitored. It is no accident that “user” and “test” (along with every variation you can think of) appear on both lists. While these accounts are not likely to be privileged accounts, gaining access is an important step towards compromise and should be taken seriously. It is also clear that the adversaries are searching for default accounts associated with common services, such as “oracle”, “mysql”, “pgsql”, and “postgres” which are all common databases; my server in particular appears to have a lot of attackers looking for gaming services such as “teamspeak” and “minecraft”. The internet is a dangerous place, be careful!