So, I have a few servers on the Internet, and a couple of them have a /var/log/btmp file (the others don't, so they haven't been collecting this stuff). The btmp file collects bad login info, which can be displayed with the lastb command. Although I rate-limit SSH connections to those machines to 3 per minute before blocking the connecting IP address, they still some of the usual SSH bf bot login attempts, so the file has grown over the last year or so. I wondered what names the Bad Guys thought might get them in. A quick bit of pipelinery (lastb | cut -f1 -d' '|sort|uniq -c|sort -nr|less) later, here's the top 20 or so names on the machines:
Machine 1 (mail gateway and squid proxy):
Machine 2 (mail gateway and web server):
OK, so it's obviously a bad idea to create accounts like admin, staff, test and sales, especially with weak passwords. And there must be a lot of Jeffs, Mikes, Johns and Tims out there.
But "fluffy"? I mean, really, who ever has a Unix account called "fluffy"? And who is this "eaguilar", who rates so highly? Not to mention "PlcmSplp" (and the lower-case variant, "plcmspip"); I guess it must have worked somewhere, once, or it wouldn't be on their list.
Looking at the log generally, it's interesting to see account names like "218-214-" (obviously derived from a reverse DNS lookup on the machine's IP address), not to mention snippets of HTML.