Logging & Top 20 Default Username Attempts

ssh login graph It’s true to say that default or weak passwords remain a significant cause of compromise and data loss for many organisations. For years, lists of default usernames and passwords have been widely available (and indeed are a useful resource for penetration testers as well as the less ethically motivated).

Whilst it’s great to focus on weak passwords, let’s not forget that a weak password usually needs a corresponding username to make it useful to the attacker.

This is why the logging of invalid access attempts is useful not just from a compliance perspective, but can also provide valuable insight in to which accounts are being targeted in the wild. If you can see an account access attempt in your log that isn’t covered by your strong password policy, be prepared to act promptly to remediate.

To illustrate this point, we’ve taken sample log data from our own systems. Specifically, invalid login attempts against one of our Secure Shell (SSH) services from the end of January 2013 to date. In all we logged 12,317 unsuccessful attempts using 1331 user names.

The graph (click image to enlarge) we’ve included shows the top 20 most popular usernames attempted during that period, which were:

oracle,test,mysql,support,tomcat,user,www,guest,upload,test2,tester,test1, testing,ftpuser,postgres,nagios,info,anna,cyrus,web

The findings from our small sample show that whilst the most popular targets remain the generic service accounts such as “oracle”, “tomcat”, “ftpuser” and so on, the targets are by no means all generic. Further down our list there are many end-user names, such as “mark”, “lauren” and “steven”.

In summary, logging can provide you with insight that extends beyond confirming who’s logging on to your system. A record of invalid access attempts provides a valuable additional checklist to confirm the coverage of your strong password policy.

You can download our complete anonymous data set here.



Leave a Reply