Distribution of Invalid Users on an SSH Server

Abstract

The Secure Shell (SSH) server on a Unix-like system is a viable way for users to login and execute programs on the system remotely. Remote access is something that hackers also want to achieve, making SSH servers a target for attack. A quantitative study was made of the distribution of usernames and IP addresses in failed login usernames on a publicly available SSH server. The failed logins and IP addresses were ranked according to the number of occurrences producing a distribution. The results indicated that the elements followed approximately a distribution with an inverse relationship with the rank of the element similar to what is known as the Zipf’s Law. An important consequence of the Zipf’s law is that 20% of elements are responsible for 80% of consequences, which means that by blocking 20% of the failed login usernames or IP addresses, 80% or more of the failed logins are also blocked. This was found to be true for a real-world scenario. Some topics were identified for further research.