Updated: December 2025
Top 100 Attacked SSH Usernames
Most used usernames in SSH brute force attacks. Avoid using predictable usernames.
| # | Username | Attempts | IPs |
|---|---|---|---|
| 1 | root | 5,761 | 333 |
| 2 | sol | 1,713 | 16 |
| 3 | admin | 1,178 | 203 |
| 4 | solana | 961 | 17 |
| 5 | solv | 854 | 15 |
| 6 | ubuntu | 786 | 126 |
| 7 | test | 649 | 105 |
| 8 | user | 630 | 109 |
| 9 | oracle | 506 | 60 |
| 10 | postgres | 486 | 77 |
| 11 | 345gs5662d34 | 430 | 158 |
| 12 | mysql | 382 | 57 |
| 13 | guest | 304 | 46 |
| 14 | git | 247 | 55 |
| 15 | pi | 218 | 39 |
| 16 | debian | 212 | 37 |
| 17 | hadoop | 194 | 41 |
| 18 | ftpuser | 167 | 62 |
| 19 | dev | 148 | 46 |
| 20 | es | 139 | 33 |
| 21 | node | 138 | 8 |
| 22 | deploy | 130 | 55 |
| 23 | developer | 123 | 36 |
| 24 | elastic | 113 | 32 |
| 25 | elasticsearch | 108 | 40 |
| 26 | centos | 105 | 30 |
| 27 | backup | 105 | 13 |
| 28 | dspace | 102 | 24 |
| 29 | nginx | 99 | 36 |
| 30 | www | 97 | 34 |
| 31 | docker | 94 | 30 |
| 32 | ftp | 93 | 35 |
| 33 | administrator | 90 | 19 |
| 34 | steam | 85 | 31 |
| 35 | wang | 78 | 26 |
| 36 | tom | 75 | 25 |
| 37 | odoo | 74 | 27 |
| 38 | zabbix | 73 | 27 |
| 39 | testuser | 71 | 52 |
| 40 | apache | 69 | 30 |
| 41 | newuser | 66 | 11 |
| 42 | daemon | 63 | 9 |
| 43 | user1 | 61 | 32 |
| 44 | validator | 61 | 7 |
| 45 | master | 60 | 26 |
| 46 | support | 60 | 13 |
| 47 | tomcat | 60 | 31 |
| 48 | rosa | 58 | 5 |
| 49 | sonar | 58 | 24 |
| 50 | dolphinscheduler | 58 | 22 |
| 51 | oscar | 55 | 21 |
| 52 | app | 55 | 29 |
| 53 | uftp | 53 | 27 |
| 54 | sa | 51 | 9 |
| 55 | grid | 49 | 20 |
| 56 | server | 49 | 25 |
| 57 | esuser | 49 | 22 |
| 58 | gitlab | 48 | 20 |
| 59 | ubnt | 46 | 30 |
| 60 | minecraft | 45 | 25 |
| 61 | raydium | 45 | 1 |
| 62 | deployer | 45 | 32 |
| 63 | weblogic | 43 | 28 |
| 64 | ftptest | 42 | 6 |
| 65 | ethereum | 42 | 6 |
| 66 | svn | 42 | 7 |
| 67 | demo | 42 | 30 |
| 68 | ec2-user | 40 | 27 |
| 69 | amir | 39 | 16 |
| 70 | www-data | 39 | 13 |
| 71 | jenkins | 39 | 28 |
| 72 | plex | 37 | 24 |
| 73 | nagios | 36 | 8 |
| 74 | dmdba | 36 | 16 |
| 75 | bitrix | 35 | 29 |
| 76 | flink | 35 | 25 |
| 77 | ranger | 35 | 22 |
| 78 | nexus | 35 | 23 |
| 79 | flask | 35 | 10 |
| 80 | runner | 34 | 24 |
| 81 | bot | 34 | 28 |
| 82 | vagrant | 34 | 24 |
| 83 | tools | 34 | 22 |
| 84 | gpadmin | 33 | 22 |
| 85 | user2 | 33 | 13 |
| 86 | ts | 33 | 25 |
| 87 | rancher | 32 | 21 |
| 88 | ansible | 32 | 25 |
| 89 | webmaster | 31 | 6 |
| 90 | firedancer | 31 | 3 |
| 91 | redis | 30 | 18 |
| 92 | User-Agent: Go-http-client/1.1 | 30 | 4 |
| 93 | nvidia | 30 | 20 |
| 94 | default | 29 | 24 |
| 95 | ps | 29 | 1 |
| 96 | test2 | 28 | 24 |
| 97 | mapr | 28 | 2 |
| 98 | student | 28 | 19 |
| 99 | mongodb | 28 | 11 |
| 100 | svn-cmu | 27 | 1 |
RECOMMENDATIONS
- •Disable root login via SSH
- •Use unique and unpredictable usernames
- •Implement public key authentication
- •Configure fail2ban to block IPs