A Study of SSH Brute Force Attacks
I found an interesting study of the passwords and methods used in brute force ssh attacks. Researchers at Clarkson University set up three SSH honeypots in
different environments: small business, residential, and university. The honeypots all ran OpenSSH on port 22. The server daemon was modified to collect all passwords attempted on the system. These machines were active from late July 2007 through February 2008.
Usernames
The results found that attacks often target common usernames, with root being the most common, giving credence to the recommendation of not allowing root to login remotely. The other common usernames attempted include admin, test, guest, user , and several databases such as oracle, postgres, and mysql .
Passwords
By far the most common password used by the attackers was simply the username, e.g. root/root, or user/user. Other common passwords attempted include 123456 and password . The researchers found a high degree of commonality among different attacks and surmised that there are at least five common username/password attack dictionaries in use among attackers.
The research performed allows a current (Summer 2008) look into brute force attacks on ssh servers on the internet. For more, read the original paper (pdf).