Updated: décembre 2025
Top 100 Attacked SSH Usernames
Most used usernames in SSH brute force attacks. Avoid using predictable usernames.
| # | Username | Attempts | IPs |
|---|---|---|---|
| 1 | root | 5,919 | 355 |
| 2 | sol | 1,724 | 17 |
| 3 | admin | 1,085 | 185 |
| 4 | solana | 983 | 18 |
| 5 | ubuntu | 848 | 154 |
| 6 | solv | 842 | 15 |
| 7 | user | 597 | 110 |
| 8 | test | 586 | 108 |
| 9 | 345gs5662d34 | 520 | 183 |
| 10 | oracle | 490 | 52 |
| 11 | postgres | 440 | 77 |
| 12 | mysql | 344 | 50 |
| 13 | guest | 317 | 44 |
| 14 | debian | 242 | 43 |
| 15 | git | 238 | 49 |
| 16 | hadoop | 208 | 41 |
| 17 | pi | 182 | 35 |
| 18 | ftpuser | 174 | 66 |
| 19 | dev | 169 | 55 |
| 20 | es | 165 | 46 |
| 21 | developer | 156 | 41 |
| 22 | node | 145 | 9 |
| 23 | backup | 128 | 14 |
| 24 | elastic | 127 | 33 |
| 25 | docker | 122 | 32 |
| 26 | dspace | 121 | 23 |
| 27 | elasticsearch | 120 | 43 |
| 28 | deploy | 119 | 51 |
| 29 | zabbix | 95 | 27 |
| 30 | centos | 95 | 29 |
| 31 | www | 93 | 33 |
| 32 | steam | 92 | 42 |
| 33 | administrator | 91 | 19 |
| 34 | ftp | 89 | 29 |
| 35 | master | 81 | 28 |
| 36 | nginx | 80 | 34 |
| 37 | odoo | 79 | 35 |
| 38 | tomcat | 72 | 30 |
| 39 | daemon | 72 | 9 |
| 40 | testuser | 70 | 54 |
| 41 | wang | 70 | 22 |
| 42 | tom | 68 | 23 |
| 43 | newuser | 65 | 10 |
| 44 | ftptest | 65 | 8 |
| 45 | validator | 63 | 8 |
| 46 | apache | 61 | 27 |
| 47 | jenkins | 60 | 33 |
| 48 | app | 60 | 35 |
| 49 | user1 | 56 | 32 |
| 50 | rosa | 54 | 4 |
| 51 | support | 54 | 12 |
| 52 | dolphinscheduler | 52 | 22 |
| 53 | sa | 51 | 8 |
| 54 | nagios | 51 | 8 |
| 55 | sonar | 51 | 23 |
| 56 | grid | 50 | 21 |
| 57 | oscar | 49 | 21 |
| 58 | raydium | 49 | 1 |
| 59 | minecraft | 48 | 30 |
| 60 | ansible | 47 | 29 |
| 61 | ubnt | 47 | 27 |
| 62 | server | 46 | 23 |
| 63 | gitlab | 45 | 26 |
| 64 | ethereum | 44 | 6 |
| 65 | uftp | 44 | 24 |
| 66 | bot | 43 | 37 |
| 67 | operator | 42 | 6 |
| 68 | esuser | 42 | 22 |
| 69 | deployer | 41 | 31 |
| 70 | ec2-user | 40 | 27 |
| 71 | svn | 40 | 7 |
| 72 | runner | 40 | 31 |
| 73 | amir | 39 | 18 |
| 74 | www-data | 39 | 13 |
| 75 | weblogic | 37 | 26 |
| 76 | bitrix | 36 | 30 |
| 77 | test1 | 36 | 12 |
| 78 | demo | 34 | 26 |
| 79 | dmdba | 33 | 14 |
| 80 | user2 | 33 | 14 |
| 81 | firedancer | 32 | 4 |
| 82 | gpadmin | 31 | 22 |
| 83 | nexus | 31 | 23 |
| 84 | flink | 31 | 25 |
| 85 | tools | 31 | 22 |
| 86 | ranger | 31 | 22 |
| 87 | User-Agent: Go-http-client/1.1 | 30 | 4 |
| 88 | student | 29 | 21 |
| 89 | redis | 29 | 18 |
| 90 | webmaster | 29 | 6 |
| 91 | mapr | 28 | 2 |
| 92 | ps | 28 | 1 |
| 93 | trader | 28 | 3 |
| 94 | svn-cmu | 28 | 1 |
| 95 | test2 | 28 | 25 |
| 96 | nvidia | 27 | 19 |
| 97 | rancher | 27 | 19 |
| 98 | gerrit | 27 | 3 |
| 99 | default | 26 | 22 |
| 100 | cmu | 26 | 1 |
RECOMMENDATIONS
- •Disable root login via SSH
- •Use unique and unpredictable usernames
- •Implement public key authentication
- •Configure fail2ban to block IPs