Updated: February 2026
Top 100 Attacked SSH Usernames
Most used usernames in SSH brute force attacks. Avoid using predictable usernames.
| # | Username | Attempts | IPs |
|---|---|---|---|
| 1 | root | 5905 | 671 |
| 2 | sol | 2019 | 31 |
| 3 | ubuntu | 1698 | 307 |
| 4 | solana | 1665 | 31 |
| 5 | admin | 1236 | 321 |
| 6 | odoo16 | 896 | 7 |
| 7 | 345gs5662d34 | 856 | 515 |
| 8 | user | 669 | 72 |
| 9 | solv | 656 | 18 |
| 10 | n8n | 390 | 184 |
| 11 | exx | 312 | 183 |
| 12 | socks | 284 | 211 |
| 13 | postgres | 234 | 32 |
| 14 | test | 229 | 46 |
| 15 | claude | 200 | 163 |
| 16 | validator | 196 | 16 |
| 17 | cheeki | 178 | 121 |
| 18 | supervisor | 170 | 9 |
| 19 | guest | 157 | 27 |
| 20 | node | 154 | 20 |
| 21 | ftpuser | 136 | 27 |
| 22 | git | 120 | 74 |
| 23 | pi | 117 | 16 |
| 24 | ftp | 109 | 17 |
| 25 | minoxidil4you | 101 | 21 |
| 26 | oracle | 98 | 26 |
| 27 | elemental | 95 | 67 |
| 28 | firedancer | 86 | 8 |
| 29 | deploy | 85 | 17 |
| 30 | support | 80 | 19 |
| 31 | bot | 73 | 24 |
| 32 | raydium | 71 | 6 |
| 33 | mysql | 70 | 20 |
| 34 | centos | 67 | 14 |
| 35 | ethereum | 66 | 11 |
| 36 | ubnt | 63 | 15 |
| 37 | lighthouse | 62 | 3 |
| 38 | trader | 60 | 10 |
| 39 | trading | 56 | 5 |
| 40 | solnode | 54 | 1 |
| 41 | jenkins | 51 | 22 |
| 42 | anonymous | 51 | 17 |
| 43 | deployer | 50 | 19 |
| 44 | slv | 48 | 1 |
| 45 | a | 47 | 17 |
| 46 | mapr | 47 | 3 |
| 47 | debian | 46 | 28 |
| 48 | operator | 46 | 11 |
| 49 | ali | 44 | 27 |
| 50 | student | 44 | 14 |
| 51 | sa | 44 | 7 |
| 52 | odoo | 44 | 15 |
| 53 | alex | 43 | 17 |
| 54 | ec2-user | 43 | 9 |
| 55 | steam | 43 | 18 |
| 56 | ps | 42 | 4 |
| 57 | www | 42 | 12 |
| 58 | system | 41 | 12 |
| 59 | nginx | 41 | 5 |
| 60 | admin1 | 41 | 10 |
| 61 | user1 | 40 | 21 |
| 62 | demo | 37 | 19 |
| 63 | minima | 37 | 6 |
| 64 | 3d | 36 | 3 |
| 65 | testuser | 36 | 18 |
| 66 | dev | 35 | 15 |
| 67 | jibs | 35 | 3 |
| 68 | banx | 35 | 2 |
| 69 | kafka | 34 | 7 |
| 70 | minecraft | 33 | 9 |
| 71 | devuser | 32 | 24 |
| 72 | ops | 30 | 8 |
| 73 | latitude | 30 | 2 |
| 74 | eth | 29 | 5 |
| 75 | es | 29 | 10 |
| 76 | Admin | 28 | 5 |
| 77 | gitlab-runner | 28 | 21 |
| 78 | aaa | 28 | 9 |
| 79 | sammy | 28 | 23 |
| 80 | web | 28 | 12 |
| 81 | helius | 27 | 1 |
| 82 | solscript | 27 | 1 |
| 83 | username | 27 | 23 |
| 84 | ftptest | 27 | 16 |
| 85 | soldev | 27 | 1 |
| 86 | botuser | 26 | 17 |
| 87 | soltech | 26 | 1 |
| 88 | frappe | 26 | 23 |
| 89 | jito | 26 | 4 |
| 90 | tunnel | 24 | 19 |
| 91 | cexadmin | 24 | 1 |
| 92 | psadmin | 24 | 2 |
| 93 | cexuser | 24 | 1 |
| 94 | testing | 24 | 20 |
| 95 | opadmin | 24 | 2 |
| 96 | operation | 24 | 2 |
| 97 | ts | 22 | 13 |
| 98 | sftpuser | 22 | 18 |
| 99 | tomcat | 22 | 5 |
| 100 | ftpadmin | 22 | 15 |
RECOMMENDATIONS
- •Disable root login via SSH
- •Use unique and unpredictable usernames
- •Implement public key authentication
- •Configure fail2ban to block IPs