A few days ago, I wrote about different IP addresses trying to break into my servers. Today, I looked into another server to find the frequently used user names used in the SSH attempts.

• admin 36228
• test 19249
• user 17164
• ubuntu 16233
• postgres 16217
• oracle 9738
• git 8118
• ftpuser 7028
• teamspea 6560
• mysql 5650
• nagios 5599
• pi 5239
• deploy 5167
• hadoop 5011
• guest 4798
• dev 4468
• ts3 4277
• minecraf 4145
• support 3940
• ubnt 3549
• debian 3515
• demo 3489
• tomcat 3435
• vagrant 3042
• zabbix 3033
• jenkins 3027
• develope 2941
• sinusbot 2914
• user1 2898
• administ 2747
• bot 2590
• testuser 2459
• ts 2403
• apache 2391
• www 2329
• default 2293
• odoo 2168
• test2 2161
• backup 2133
• steam 2129
• 1234 2026
• server 1890
• www-data 1853
• web 1850
• centos 1796
• vnc 1783
• csgoserv 1715
• prueba 1677
• test1 1648
• a 1581
• student 1568
• csgo 1524
• weblogic 1522
• ts3bot 1521
• mc 1434
• gpadmin 1427
• redhat 1378
• alex 1375
• system 1362
• manager 1359

I never knew that admin is such important user name for Linux servers, I thought I will see root there. Also, why alex? I can understand the reason behind pi. If you want to find out the similar details, you can use the following command.

last -f /var/log/btmp