Distribution of Invalid Users on an SSH Server

The Secure Shell (SSH) server on a Unix-like system is a viable way for users to login and execute programs on the system remotely. Remote access is something that hackers also want to achieve, making SSH servers a target for attack. A quantitative study was made of the distribution of usernames and IP addresses in failed login usernames on a publicly available SSH server. The failed logins and IP addresses were ranked according to the number of occurrences producing a distribution. The results indicated that the elements followed approximately a distribution with an inverse relationship with the rank of the element similar to what is known as the Zipf’s Law. An important consequence of the Zipf’s law is that 20% of elements are responsible for 80% of consequences, which means that by blocking 20% of the failed login usernames or IP addresses, 80% or more of the failed logins are also blocked. This was found to be true for a real-world scenario. Some topics were identified for further research.


Kai Rasmus, Tero Kokkonen , Timo Hämäläinen

Cite as

Rasmus, K., Kokkonen, T., Hämäläinen, T. (2024). Distribution of Invalid Users on an SSH Server. In: Rocha, Á., Adeli, H., Dzemyda, G., Moreira, F., Poniszewska-Marańda, A. (eds) Good Practices and New Perspectives in Information Systems and Technologies. WorldCIST 2024. Lecture Notes in Networks and Systems, vol 989. Springer, Cham. https://doi.org/10.1007/978-3-031-60227-6_12