Does anyone maintain lists of the most frequently guessed account names that are used by attackers brute-forcing ssh?
For your amusement, from my main server's logs over the last month (43 313 failed ssh attempts), with root not getting as far as sshd:
cas@txtproof:~$ grep -e sshd /var/log/auth* | awk ' { print $8 }' | sort | uniq -c | sort | tail -n 13
32 administrator
32 stephen
34 administration
34 sales
34 user
35 matt
35 postgres
38 mysql
42 oracle
44 guest
86 test
90 admin
These are Top 10 from
lastbat my box, couple of monts ago:I would start with a web search: http://google.com/?q=common+usernames+used+in+ssh+attacks
Of particular note, this document seems to have a list that at least seems possible: http://people.clarkson.edu/~jmatthew/publications/leet08.pdf
I suppose you could look through a database of exploit scripts from security sites and compile a list, or you could probably derive them from your own logs of data and use another script to periodically check for outliers to see when they change, but you might reduce your attack surface just a little bit if you put Denyhosts on the system to block IP's automatically after a set of bad credentials (and auto-blocking what other denyhost sites have blocked periodically) and/or put sshd on another port and have your authorized users shift to that port (non-standard ports will make your automated attacks drop to practically nothing).
Don't know if you're looking for these names for a set purpose or if you're interested in reducing your script attack attempts...But it sounds like you're already getting a decent size sample from which to get usernames from scripted attacks.