Instead of paying for Netflix, I put up a VPS and collected data last month. Interesting results found in the tables below... I started blocking by HASSH this past week, so the numbers are a little off =)
Example of the web dashboard before I started blocking by HASSH:
Example of the web dashboard after I started blocking by HASSH:
Stats
SELECT
ip.version,
COUNT(sce.id) as total_attempts,
COUNT(DISTINCT sce.source_ip_id) as unique_ips,
COUNT(DISTINCT sce.username_id) as unique_usernames,
COUNT(DISTINCT sce.password_id) as unique_passwords
FROM ssh_connection_events sce
JOIN ip_addresses ip ON sce.source_ip_id = ip.id
GROUP BY ip.version;
| version | total_attempts | unique_ips | unique_usernames | unique_passwords |
| 4 | 16155 | 582 | 887 | 3991 |
Authmethods
SELECT
am.method_name,
COUNT(seam.id) as usage_count,
COUNT(DISTINCT seam.event_id) as unique_events,
MIN(sce.timestamp) as first_seen,
MAX(sce.timestamp) as last_seen
FROM ssh_event_auth_methods seam
JOIN auth_methods am ON seam.auth_method_id = am.id
JOIN ssh_connection_events sce ON seam.event_id = sce.id
GROUP BY am.method_name
ORDER BY usage_count DESC;
| method_name | usage_count | unique_events | first_seen | last_seen |
| AUTH_METHOD_PASSWORD | 16113 | 16113 | 2026-02-02 01:33:23.993967+00:00 | 2026-02-16 04:45:04.884199+00:00 |
| AUTH_METHOD_PUBLICKEY | 35 | 35 | 2026-02-02 06:10:44.489883+00:00 | 2026-02-08 02:58:30.481077+00:00 |
| AUTH_METHOD_KEYBOARD_INTERACTIVE | 7 | 7 | 2026-02-02 02:04:45.418042+00:00 | 2026-02-12 10:20:13.358302+00:00 |
SSH client names with HASSH fingerprints and usage statistics
SELECT
scn.value as ssh_client,
hf.fingerprint as hassh_fingerprint,
COUNT(DISTINCT sce.id) as connection_count,
COUNT(DISTINCT sce.source_ip_id) as unique_ips,
COUNT(DISTINCT sce.username_id) as unique_usernames,
MIN(sce.timestamp) as first_seen,
MAX(sce.timestamp) as last_seen
FROM ssh_connection_events sce
JOIN ha_ssh_fingerprints hf ON sce.ha_ssh_fingerprint_id = hf.id
LEFT JOIN ssh_client_names scn ON sce.ssh_client_name_id = scn.id
GROUP BY hf.fingerprint, scn.value
ORDER BY connection_count DESC;
| ssh_client | hassh_fingerprint | connection_count | unique_ips | unique_usernames | first_seen | last_seen |
| SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 | 4510 | 50 | 47 | 2026-02-02 01:33:23.993967+00:00 | 2026-02-04 02:23:54.659002+00:00 |
| SSH-2.0-Go | 0a07365cc01fa9fc82608ba4019af499 | 4451 | 13 | 324 | 2026-02-02 03:24:25.860266+00:00 | 2026-02-04 21:03:12.849756+00:00 |
| SSH-2.0-Go | 01ca35584ad5a1b66cf6a9846b5b2821 | 2772 | 1 | 1 | 2026-02-04 11:14:55.059721+00:00 | 2026-02-04 12:37:01.244455+00:00 |
| SSH-2.0-libssh_0.11.1 | 03a80b21afa810682a776a7d42e5e6fb | 1722 | 427 | 458 | 2026-02-02 01:36:53.316974+00:00 | 2026-02-05 01:05:16.461128+00:00 |
| SSH-2.0-libssh2_1.11.1 | 57e4cc8ee36c3d78f75c6a05acd55963 | 1420 | 2 | 1 | 2026-02-08 07:24:23.527478+00:00 | 2026-02-08 23:28:33.571835+00:00 |
| SSH-2.0-Go | 16443846184eafde36765c9bab2f4397 | 866 | 22 | 127 | 2026-02-02 02:42:28.101457+00:00 | 2026-02-05 01:25:40.503173+00:00 |
| SSH-2.0-Go | bf7dbf67fa9b26ee9f9deb99c49320ba | 163 | 1 | 6 | 2026-02-02 10:13:50.269361+00:00 | 2026-02-05 01:07:02.649577+00:00 |
| SSH-2.0-AsyncSSH_2.1.0 | fda360b1b4f4d3455cb75c6e7edb1d11 | 105 | 7 | 20 | 2026-02-05 07:10:41.367328+00:00 | 2026-02-06 17:31:35.17066+00:00 |
| SSH-2.0-libssh2_1.9.0 | 57446c12547a668110aa237e5965e374 | 22 | 2 | 7 | 2026-02-04 13:19:55.721921+00:00 | 2026-02-05 01:00:00.038083+00:00 |
| SSH-2.0-OpenSSH_8.9p19 | 98f63c4d9c87edbd97ed4747fa031019 | 18 | 1 | 1 | 2026-02-04 21:30:16.32951+00:00 | 2026-02-04 21:30:16.627801+00:00 |
| SSH-2.0-OpenSSH_10.0 | c118de82e19e5384f50f9bfd36c1a5dc | 13 | 13 | 1 | 2026-02-02 13:29:23.440344+00:00 | 2026-02-14 00:34:36.175825+00:00 |
| SSH-2.0-libssh_0.11.2 | 4ed0d5b0dc3be39c7f96ba3a3cc77895 | 11 | 1 | 8 | 2026-02-16 04:44:58.993244+00:00 | 2026-02-16 04:45:04.884199+00:00 |
| SSH-2.0-Go | 5f904648ee8964bef0e8834012e26003 | 6 | 3 | 2 | 2026-02-02 05:56:07.864688+00:00 | 2026-02-04 12:28:59.081794+00:00 |
| SSH-2.0-libssh_0.11.1 | 713bd9cc935561939c02dad25af2d3de | 6 | 1 | 3 | 2026-02-07 16:20:18.974614+00:00 | 2026-02-07 22:03:20.802578+00:00 |
| SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.14 | aae6b9604f6f3356543709a376d7f657 | 6 | 1 | 2 | 2026-02-02 02:04:45.418042+00:00 | 2026-02-05 02:02:00.783141+00:00 |
| SSH-2.0-libssh_0.11.1 | e13ba222a14b8b916c6c32f9fd6aec5d | 6 | 1 | 3 | 2026-02-09 13:52:05.595173+00:00 | 2026-02-13 05:00:43.510234+00:00 |
| SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1 | ec7378c1a92f5a8dde7e8b7a1ddf33d1 | 6 | 2 | 1 | 2026-02-06 22:49:14.26055+00:00 | 2026-02-10 07:05:23.720794+00:00 |
| SSH-2.0-Go | 98f63c4d9c87edbd97ed4747fa031019 | 5 | 5 | 1 | 2026-02-02 18:33:41.051658+00:00 | 2026-02-04 11:31:37.563783+00:00 |
| SSH-2.0-libssh_0.9.6 | f555226df1963d1d3c09daf865abdc9a | 5 | 2 | 3 | 2026-02-04 00:49:31.621956+00:00 | 2026-02-04 12:24:33.525625+00:00 |
| SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2 | ec7378c1a92f5a8dde7e8b7a1ddf33d1 | 4 | 2 | 1 | 2026-02-06 18:54:37.429155+00:00 | 2026-02-13 16:46:22.763402+00:00 |
| SSH-2.0-Go | f1e5e9d24e5e345e8745613bde22d532 | 4 | 1 | 1 | 2026-02-02 06:10:44.489883+00:00 | 2026-02-02 09:10:51.827085+00:00 |
| SSH-2.0-libssh2_1.11.1 | f45fb203c31069bb280067b71ed92ccb | 4 | 2 | 1 | 2026-02-02 14:05:05.85584+00:00 | 2026-02-02 18:44:55.239836+00:00 |
| SSH-2.0-Go | 1507069938cc303a0479feda273ec02c | 3 | 1 | 1 | 2026-02-09 14:38:02.746404+00:00 | 2026-02-09 14:38:02.874978+00:00 |
| SSH-2.0-libssh2_1.11.1 | 19532158b559096b89b1a5f7d17175b2 | 3 | 3 | 1 | 2026-02-02 05:52:29.231856+00:00 | 2026-02-03 19:11:45.80366+00:00 |
| SSH-2.0-Go | 4e066189c3bbeec38c99b1855113733a | 3 | 3 | 1 | 2026-02-02 02:05:15.241426+00:00 | 2026-02-04 00:50:05.713888+00:00 |
| SSH-2.0-libssh_0.9.6 | 8c95e28f1643c38e5d64511b4d499e94 | 3 | 1 | 2 | 2026-02-13 18:57:41.019582+00:00 | 2026-02-13 18:57:46.513234+00:00 |
| SSH-2.0-russh_0.51.1 | 1b8acd46a07d2dc9854db9ec4044c45c | 2 | 2 | 1 | 2026-02-02 02:44:55.184125+00:00 | 2026-02-03 15:18:21.289721+00:00 |
| SSH-2.0-PUTTY | 57446c12547a668110aa237e5965e374 | 2 | 2 | 1 | 2026-02-02 10:06:09.656308+00:00 | 2026-02-02 10:06:27.624045+00:00 |
| SSH-2.0-paramiko_3.5.1 | a2de0f306611e0957be704f5b0e35a82 | 2 | 1 | 1 | 2026-02-13 14:23:35.995728+00:00 | 2026-02-14 04:30:34.888306+00:00 |
| SSH-2.0-OpenSSH_8.4p1 Debian-5 | ae8bd7dd09970555aa4c6ed22adbbf56 | 2 | 1 | 1 | 2026-02-02 19:21:59.941856+00:00 | 2026-02-02 19:22:00.03258+00:00 |
| SSH-2.0-libssh_0.11.1 | 04f9d9fca3a978a7c079aa3379fd21d6 | 1 | 1 | 1 | 2026-02-05 12:30:59.68497+00:00 | 2026-02-05 12:30:59.68497+00:00 |
| SSH-2.0-OpenSSH_9.9 | 1cc79c7da9b5d5eead2c60983332a556 | 1 | 1 | 1 | 2026-02-08 02:58:30.481077+00:00 | 2026-02-08 02:58:30.481077+00:00 |
| SSH-2.0-libssh2_1.11.0 | 44ac1859818d6cacfb48ec9cb230b3f0 | 1 | 1 | 1 | 2026-02-06 23:45:57.991974+00:00 | 2026-02-06 23:45:57.991974+00:00 |
| SSH-2.0-PuTTY_Release_0.83 | 4a3e3c55af41b23589ff4c9d6aee4404 | 1 | 1 | 1 | 2026-02-12 10:20:13.358302+00:00 | 2026-02-12 10:20:13.358302+00:00 |
| SSH-2.0-libssh_0.9.5 | 742ee33575d0ff88acd63dcc5529bb46 | 1 | 1 | 1 | 2026-02-02 04:07:44.578996+00:00 | 2026-02-02 04:07:44.578996+00:00 |
| SSH-2.0-OpenSSH | 88e4f54f942892da498676735732aec7 | 1 | 1 | 1 | 2026-02-12 00:57:40.391087+00:00 | 2026-02-12 00:57:40.391087+00:00 |
| SSH-2.0-Go | 98ddc5604ef6a1006a2b49a58759fbe6 | 1 | 1 | 1 | 2026-02-02 02:42:52.246429+00:00 | 2026-02-02 02:42:52.246429+00:00 |
| SSH-2.0-paramiko_4.0.0 | a2de0f306611e0957be704f5b0e35a82 | 1 | 1 | 1 | 2026-02-12 10:19:23.057794+00:00 | 2026-02-12 10:19:23.057794+00:00 |
| SSH-2.0-libssh_0.11.1 | a37561952f836bcafd479cf44ccf6d52 | 1 | 1 | 1 | 2026-02-08 07:14:01.406582+00:00 | 2026-02-08 07:14:01.406582+00:00 |
| SSH-2.0-Renci.SshNet.SshClient.2025.1.0 | d055c93eb832f05741824c5d6eeb7251 | 1 | 1 | 1 | 2026-02-15 22:14:53.034846+00:00 | 2026-02-15 22:14:53.034846+00:00 |
Top IP addresses by connection count
SELECT
ip.address,
ip.version,
COUNT(sce.id) as connection_count,
MIN(sce.timestamp) as first_seen,
MAX(sce.timestamp) as last_seen
FROM ssh_connection_events sce
JOIN ip_addresses ip ON sce.source_ip_id = ip.id
GROUP BY ip.id, ip.address, ip.version
ORDER BY connection_count DESC
LIMIT 20;
| address | version | connection_count | first_seen | last_seen |
| 159.89.53.54 | 4 | 2772 | 2026-02-04 11:14:55.059721+00:00 | 2026-02-04 12:37:01.244455+00:00 |
| 91.92.241.148 | 4 | 1376 | 2026-02-08 07:24:23.527478+00:00 | 2026-02-08 23:28:33.571835+00:00 |
| 165.245.143.57 | 4 | 638 | 2026-02-04 00:45:15.445951+00:00 | 2026-02-04 01:23:45.516071+00:00 |
| 165.245.130.136 | 4 | 635 | 2026-02-04 14:04:31.731887+00:00 | 2026-02-04 14:41:40.932623+00:00 |
| 165.245.129.153 | 4 | 633 | 2026-02-02 14:14:28.646081+00:00 | 2026-02-02 14:53:04.404112+00:00 |
| 129.212.178.237 | 4 | 619 | 2026-02-03 19:44:09.099671+00:00 | 2026-02-03 20:20:40.706782+00:00 |
| 134.199.197.120 | 4 | 614 | 2026-02-04 08:30:15.128068+00:00 | 2026-02-04 09:08:35.532765+00:00 |
| 165.245.132.139 | 4 | 598 | 2026-02-04 11:48:08.115591+00:00 | 2026-02-04 12:26:02.928852+00:00 |
| 66.181.171.136 | 4 | 335 | 2026-02-02 03:24:25.860266+00:00 | 2026-02-02 04:19:55.106711+00:00 |
| 209.38.43.166 | 4 | 300 | 2026-02-02 02:38:58.414348+00:00 | 2026-02-02 05:30:20.239746+00:00 |
| 206.189.0.205 | 4 | 255 | 2026-02-02 01:33:23.993967+00:00 | 2026-02-02 03:57:18.871596+00:00 |
| 167.172.35.91 | 4 | 242 | 2026-02-02 01:36:59.87061+00:00 | 2026-02-02 04:10:23.453628+00:00 |
| 203.171.29.193 | 4 | 238 | 2026-02-04 07:05:47.279038+00:00 | 2026-02-04 07:55:58.423036+00:00 |
| 174.138.0.114 | 4 | 230 | 2026-02-02 07:44:19.724551+00:00 | 2026-02-02 09:54:18.741874+00:00 |
| 164.92.214.17 | 4 | 208 | 2026-02-03 13:19:06.648298+00:00 | 2026-02-03 15:41:11.877858+00:00 |
| 104.248.195.217 | 4 | 206 | 2026-02-02 01:33:38.394251+00:00 | 2026-02-02 04:10:20.660725+00:00 |
| 142.93.238.129 | 4 | 204 | 2026-02-02 09:20:25.562384+00:00 | 2026-02-02 11:21:29.699196+00:00 |
| 167.71.11.243 | 4 | 168 | 2026-02-02 01:36:57.758704+00:00 | 2026-02-02 03:45:12.705855+00:00 |
| 45.148.10.121 | 4 | 163 | 2026-02-02 10:13:50.269361+00:00 | 2026-02-05 01:07:02.649577+00:00 |
| 142.93.231.197 | 4 | 156 | 2026-02-03 21:09:33.224774+00:00 | 2026-02-03 22:26:39.847121+00:00 |
Top IPs with their most common SSH client and HASSH
SELECT
ip.address,
COUNT(sce.id) as total_connections,
GROUP_CONCAT(DISTINCT scn.value) as ssh_clients,
GROUP_CONCAT(DISTINCT hf.fingerprint) as hassh_fingerprints,
COUNT(DISTINCT sce.username_id) as unique_usernames_tried,
MIN(sce.timestamp) as first_attempt,
MAX(sce.timestamp) as last_attempt
FROM ssh_connection_events sce
JOIN ip_addresses ip ON sce.source_ip_id = ip.id
JOIN ha_ssh_fingerprints hf ON sce.ha_ssh_fingerprint_id = hf.id
LEFT JOIN ssh_client_names scn ON sce.ssh_client_name_id = scn.id
GROUP BY ip.id, ip.address
ORDER BY total_connections DESC
LIMIT 20;
| address | total_connections | ssh_clients | hassh_fingerprints | unique_usernames_tried | first_attempt | last_attempt |
| 159.89.53.54 | 2772 | SSH-2.0-Go | 01ca35584ad5a1b66cf6a9846b5b2821 | 1 | 2026-02-04 11:14:55.059721+00:00 | 2026-02-04 12:37:01.244455+00:00 |
| 91.92.241.148 | 1376 | SSH-2.0-libssh2_1.11.1 | 57e4cc8ee36c3d78f75c6a05acd55963 | 1 | 2026-02-08 07:24:23.527478+00:00 | 2026-02-08 23:28:33.571835+00:00 |
| 165.245.143.57 | 638 | SSH-2.0-Go | 0a07365cc01fa9fc82608ba4019af499 | 307 | 2026-02-04 00:45:15.445951+00:00 | 2026-02-04 01:23:45.516071+00:00 |
| 165.245.130.136 | 635 | SSH-2.0-Go | 0a07365cc01fa9fc82608ba4019af499 | 306 | 2026-02-04 14:04:31.731887+00:00 | 2026-02-04 14:41:40.932623+00:00 |
| 165.245.129.153 | 633 | SSH-2.0-Go | 0a07365cc01fa9fc82608ba4019af499 | 305 | 2026-02-02 14:14:28.646081+00:00 | 2026-02-02 14:53:04.404112+00:00 |
| 129.212.178.237 | 619 | SSH-2.0-Go | 0a07365cc01fa9fc82608ba4019af499 | 307 | 2026-02-03 19:44:09.099671+00:00 | 2026-02-03 20:20:40.706782+00:00 |
| 134.199.197.120 | 614 | SSH-2.0-Go | 0a07365cc01fa9fc82608ba4019af499 | 306 | 2026-02-04 08:30:15.128068+00:00 | 2026-02-04 09:08:35.532765+00:00 |
| 165.245.132.139 | 598 | SSH-2.0-Go | 0a07365cc01fa9fc82608ba4019af499 | 302 | 2026-02-04 11:48:08.115591+00:00 | 2026-02-04 12:26:02.928852+00:00 |
| 66.181.171.136 | 335 | SSH-2.0-Go | 0a07365cc01fa9fc82608ba4019af499 | 77 | 2026-02-02 03:24:25.860266+00:00 | 2026-02-02 04:19:55.106711+00:00 |
| 209.38.43.166 | 300 | SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 | 7 | 2026-02-02 02:38:58.414348+00:00 | 2026-02-02 05:30:20.239746+00:00 |
| 206.189.0.205 | 255 | SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 | 16 | 2026-02-02 01:33:23.993967+00:00 | 2026-02-02 03:57:18.871596+00:00 |
| 167.172.35.91 | 242 | SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 | 15 | 2026-02-02 01:36:59.87061+00:00 | 2026-02-02 04:10:23.453628+00:00 |
| 203.171.29.193 | 238 | SSH-2.0-Go | 0a07365cc01fa9fc82608ba4019af499 | 80 | 2026-02-04 07:05:47.279038+00:00 | 2026-02-04 07:55:58.423036+00:00 |
| 174.138.0.114 | 230 | SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 | 18 | 2026-02-02 07:44:19.724551+00:00 | 2026-02-02 09:54:18.741874+00:00 |
| 164.92.214.17 | 208 | SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 | 5 | 2026-02-03 13:19:06.648298+00:00 | 2026-02-03 15:41:11.877858+00:00 |
| 104.248.195.217 | 206 | SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 | 9 | 2026-02-02 01:33:38.394251+00:00 | 2026-02-02 04:10:20.660725+00:00 |
| 142.93.238.129 | 204 | SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 | 16 | 2026-02-02 09:20:25.562384+00:00 | 2026-02-02 11:21:29.699196+00:00 |
| 167.71.11.243 | 168 | SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 | 6 | 2026-02-02 01:36:57.758704+00:00 | 2026-02-02 03:45:12.705855+00:00 |
| 45.148.10.121 | 163 | SSH-2.0-Go | bf7dbf67fa9b26ee9f9deb99c49320ba | 6 | 2026-02-02 10:13:50.269361+00:00 | 2026-02-05 01:07:02.649577+00:00 |
| 142.93.231.197 | 156 | SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 | 25 | 2026-02-03 21:09:33.224774+00:00 | 2026-02-03 22:26:39.847121+00:00 |
Top Username Attempts
SELECT
u.username,
COUNT(sce.id) as attempt_count,
COUNT(DISTINCT sce.source_ip_id) as unique_ips,
COUNT(DISTINCT sce.password_id) as unique_passwords,
MIN(sce.timestamp) as first_seen,
MAX(sce.timestamp) as last_seen
FROM ssh_connection_events sce
JOIN usernames u ON sce.username_id = u.id
GROUP BY u.id, u.username
ORDER BY attempt_count DESC
LIMIT 20;
| username | attempt_count | unique_ips | unique_passwords | first_seen | last_seen |
| root | 4546 | 128 | 3067 | 2026-02-02 01:33:38.394251+00:00 | 2026-02-16 04:45:00.655579+00:00 |
| 0 | 1421 | 3 | 1 | 2026-02-08 07:14:01.406582+00:00 | 2026-02-08 23:28:33.571835+00:00 |
| admin | 762 | 62 | 104 | 2026-02-02 01:39:54.981784+00:00 | 2026-02-16 04:45:00.340777+00:00 |
| 345gs5662d34 | 569 | 406 | 1 | 2026-02-02 01:36:55.837399+00:00 | 2026-02-13 18:57:44.450429+00:00 |
| user | 519 | 44 | 84 | 2026-02-02 02:00:53.91584+00:00 | 2026-02-16 04:45:04.402882+00:00 |
| test | 381 | 39 | 95 | 2026-02-02 01:48:43.583575+00:00 | 2026-02-06 17:09:04.012602+00:00 |
| oracle | 354 | 26 | 88 | 2026-02-02 02:00:00.581768+00:00 | 2026-02-05 07:49:50.528605+00:00 |
| ubuntu | 325 | 36 | 76 | 2026-02-02 01:33:23.993967+00:00 | 2026-02-05 00:27:40.825674+00:00 |
| postgres | 307 | 24 | 59 | 2026-02-02 01:36:57.758704+00:00 | 2026-02-04 14:38:25.687964+00:00 |
| guest | 223 | 25 | 49 | 2026-02-02 01:57:13.43867+00:00 | 2026-02-06 17:07:34.538099+00:00 |
| mysql | 143 | 21 | 40 | 2026-02-02 03:12:02.7094+00:00 | 2026-02-16 04:45:03.400173+00:00 |
| hadoop | 133 | 14 | 41 | 2026-02-02 02:44:20.172465+00:00 | 2026-02-04 14:19:44.252284+00:00 |
| pi | 129 | 21 | 43 | 2026-02-02 02:35:15.499591+00:00 | 2026-02-13 16:46:22.763402+00:00 |
| sol | 127 | 12 | 34 | 2026-02-02 02:44:44.186683+00:00 | 2026-02-05 01:07:02.783127+00:00 |
| debian | 120 | 15 | 43 | 2026-02-02 03:59:15.592697+00:00 | 2026-02-04 19:05:56.64032+00:00 |
| centos | 112 | 15 | 18 | 2026-02-02 01:37:41.583766+00:00 | 2026-02-04 21:03:02.697849+00:00 |
| git | 108 | 18 | 42 | 2026-02-02 02:04:39.535811+00:00 | 2026-02-04 21:02:01.282597+00:00 |
| backup | 106 | 15 | 34 | 2026-02-02 03:48:25.988447+00:00 | 2026-02-04 14:39:07.316335+00:00 |
| daemon | 90 | 14 | 25 | 2026-02-02 14:36:08.947454+00:00 | 2026-02-04 14:35:41.670138+00:00 |
| solana | 84 | 13 | 27 | 2026-02-02 02:42:28.101457+00:00 | 2026-02-05 00:06:27.87044+00:00 |
Top Password Attempts
SELECT
p.password,
COUNT(sce.id) as attempt_count,
COUNT(DISTINCT sce.source_ip_id) as unique_ips,
COUNT(DISTINCT sce.username_id) as unique_usernames,
MIN(sce.timestamp) as first_seen,
MAX(sce.timestamp) as last_seen
FROM ssh_connection_events sce
JOIN passwords p ON sce.password_id = p.id
GROUP BY p.id, p.password
ORDER BY attempt_count DESC
LIMIT 20;
| password | attempt_count | unique_ips | unique_usernames | first_seen | last_seen |
| 123456 | 1992 | 165 | 371 | 2026-02-02 01:36:57.758704+00:00 | 2026-02-16 04:45:02.863458+00:00 |
| 0 | 1422 | 4 | 2 | 2026-02-04 12:30:36.669178+00:00 | 2026-02-08 23:28:33.571835+00:00 |
| 3245gs5662d34 | 575 | 409 | 441 | 2026-02-02 01:36:57.261878+00:00 | 2026-02-13 18:57:46.513234+00:00 |
| 345gs5662d34 | 569 | 406 | 1 | 2026-02-02 01:36:55.837399+00:00 | 2026-02-13 18:57:44.450429+00:00 |
| 123 | 271 | 89 | 71 | 2026-02-02 01:38:28.648661+00:00 | 2026-02-05 12:30:59.68497+00:00 |
| password | 261 | 60 | 30 | 2026-02-02 01:38:46.054204+00:00 | 2026-02-06 17:31:35.17066+00:00 |
| 1234 | 225 | 75 | 48 | 2026-02-02 01:36:53.316974+00:00 | 2026-02-06 17:27:47.310053+00:00 |
| qwerty | 186 | 48 | 27 | 2026-02-02 01:37:38.845759+00:00 | 2026-02-04 14:11:28.987745+00:00 |
| 123456789 | 172 | 40 | 30 | 2026-02-02 01:38:18.242472+00:00 | 2026-02-04 20:59:25.365591+00:00 |
| 12345 | 161 | 43 | 30 | 2026-02-02 01:36:59.87061+00:00 | 2026-02-06 17:25:26.596865+00:00 |
| 12345678 | 153 | 44 | 30 | 2026-02-02 01:39:19.504952+00:00 | 2026-02-05 00:39:42.329752+00:00 |
| admin | 141 | 54 | 21 | 2026-02-02 01:42:14.900593+00:00 | 2026-02-16 04:45:00.340777+00:00 |
| 654321 | 138 | 33 | 27 | 2026-02-02 01:37:10.230193+00:00 | 2026-02-04 02:23:24.092035+00:00 |
| 111111 | 131 | 35 | 21 | 2026-02-02 01:39:35.747231+00:00 | 2026-02-04 14:34:03.140472+00:00 |
| passw0rd | 127 | 40 | 20 | 2026-02-02 01:42:04.384013+00:00 | 2026-02-04 14:28:10.794015+00:00 |
| P@ssw0rd | 124 | 35 | 22 | 2026-02-02 01:33:23.993967+00:00 | 2026-02-04 20:56:32.0741+00:00 |
| 1q2w3e4r | 117 | 33 | 20 | 2026-02-02 01:43:53.49059+00:00 | 2026-02-04 14:27:14.935656+00:00 |
| 123123 | 103 | 22 | 19 | 2026-02-02 01:38:58.21598+00:00 | 2026-02-05 01:11:15.081142+00:00 |
| 123qwe | 98 | 29 | 21 | 2026-02-02 01:48:58.388244+00:00 | 2026-02-04 07:50:15.646441+00:00 |
| password1 | 85 | 21 | 20 | 2026-02-02 01:40:13.315765+00:00 | 2026-02-04 02:23:04.782758+00:00 |
Most Common Username/Password
SELECT
u.username,
p.password,
COUNT(sce.id) as attempt_count,
COUNT(DISTINCT sce.source_ip_id) as unique_ips,
MIN(sce.timestamp) as first_seen,
MAX(sce.timestamp) as last_seen
FROM ssh_connection_events sce
JOIN usernames u ON sce.username_id = u.id
JOIN passwords p ON sce.password_id = p.id
GROUP BY u.username, p.password
ORDER BY attempt_count DESC
LIMIT 30;
| username | password | attempt_count | unique_ips | first_seen | last_seen |
| 0 | 0 | 1421 | 3 | 2026-02-08 07:14:01.406582+00:00 | 2026-02-08 23:28:33.571835+00:00 |
| 345gs5662d34 | 345gs5662d34 | 569 | 406 | 2026-02-02 01:36:55.837399+00:00 | 2026-02-13 18:57:44.450429+00:00 |
| admin | admin | 59 | 40 | 2026-02-02 01:42:14.900593+00:00 | 2026-02-16 04:45:00.340777+00:00 |
| root | password | 58 | 42 | 2026-02-02 02:40:58.716506+00:00 | 2026-02-05 07:52:21.064033+00:00 |
| admin | password | 54 | 38 | 2026-02-02 01:41:29.056695+00:00 | 2026-02-06 17:10:36.076808+00:00 |
| root | admin | 50 | 35 | 2026-02-02 02:40:00.407006+00:00 | 2026-02-06 16:54:59.486123+00:00 |
| user | user | 48 | 32 | 2026-02-02 02:06:47.703381+00:00 | 2026-02-16 04:45:04.402882+00:00 |
| root | root | 46 | 45 | 2026-02-02 02:38:58.414348+00:00 | 2026-02-12 10:20:13.358302+00:00 |
| admin | 1234 | 44 | 29 | 2026-02-02 01:43:47.663985+00:00 | 2026-02-06 17:13:03.431625+00:00 |
| ubuntu | ubuntu | 43 | 29 | 2026-02-02 02:51:13.418292+00:00 | 2026-02-05 00:27:40.825674+00:00 |
| root | qwerty | 39 | 39 | 2026-02-02 02:45:27.06735+00:00 | 2026-02-04 14:11:28.987745+00:00 |
| root | root123 | 39 | 39 | 2026-02-02 02:49:13.722871+00:00 | 2026-02-06 17:05:48.818992+00:00 |
| solana | solana | 37 | 13 | 2026-02-02 02:42:28.101457+00:00 | 2026-02-05 00:06:27.87044+00:00 |
| root | 1234 | 35 | 34 | 2026-02-02 02:43:45.640894+00:00 | 2026-02-04 23:43:11.18079+00:00 |
| root | 12345 | 34 | 34 | 2026-02-02 02:44:37.112033+00:00 | 2026-02-06 17:25:26.596865+00:00 |
| root | 123456 | 34 | 34 | 2026-02-02 03:09:53.217091+00:00 | 2026-02-04 23:47:10.298273+00:00 |
| root | 123456789 | 33 | 32 | 2026-02-02 02:54:29.700282+00:00 | 2026-02-04 14:34:59.198681+00:00 |
| root | 111111 | 32 | 31 | 2026-02-02 02:55:55.321267+00:00 | 2026-02-04 14:18:44.771226+00:00 |
| test | test | 32 | 31 | 2026-02-02 01:48:43.583575+00:00 | 2026-02-06 17:09:04.012602+00:00 |
| admin | 123456 | 31 | 31 | 2026-02-02 01:39:54.981784+00:00 | 2026-02-06 17:14:11.034349+00:00 |
| root | 123 | 31 | 31 | 2026-02-02 03:03:11.944976+00:00 | 2026-02-04 23:38:34.46009+00:00 |
| root | 3245gs5662d34 | 31 | 31 | 2026-02-02 02:10:21.872293+00:00 | 2026-02-09 13:52:09.999362+00:00 |
| sol | sol | 30 | 12 | 2026-02-02 02:44:44.186683+00:00 | 2026-02-05 00:03:14.961049+00:00 |
| admin | admin123 | 29 | 29 | 2026-02-02 01:50:12.976802+00:00 | 2026-02-06 17:14:59.00732+00:00 |
| root | passw0rd | 29 | 29 | 2026-02-02 02:50:47.472303+00:00 | 2026-02-04 14:28:10.794015+00:00 |
| root | P@ssw0rd | 28 | 27 | 2026-02-02 02:51:35.547318+00:00 | 2026-02-04 14:18:41.10679+00:00 |
| user | 123456 | 28 | 28 | 2026-02-02 02:00:53.91584+00:00 | 2026-02-04 21:01:30.834885+00:00 |
| sol | 123 | 27 | 10 | 2026-02-02 02:46:53.117529+00:00 | 2026-02-05 00:36:41.336505+00:00 |
| ubnt | ubnt | 26 | 11 | 2026-02-02 03:56:08.140774+00:00 | 2026-02-06 16:56:43.950189+00:00 |
| root | 1q2w3e4r | 25 | 23 | 2026-02-02 02:59:15.50119+00:00 | 2026-02-04 14:27:14.935656+00:00 |
Username/Password Diversity
SELECT
ip.address,
COUNT(DISTINCT sce.username_id) as unique_usernames,
COUNT(DISTINCT sce.password_id) as unique_passwords,
COUNT(sce.id) as total_attempts,
MIN(sce.timestamp) as first_attempt,
MAX(sce.timestamp) as last_attempt
FROM ssh_connection_events sce
JOIN ip_addresses ip ON sce.source_ip_id = ip.id
GROUP BY ip.id, ip.address
ORDER BY unique_usernames DESC, unique_passwords DESC
LIMIT 20;
| address | unique_usernames | unique_passwords | total_attempts | first_attempt | last_attempt |
| 165.245.143.57 | 307 | 358 | 638 | 2026-02-04 00:45:15.445951+00:00 | 2026-02-04 01:23:45.516071+00:00 |
| 129.212.178.237 | 307 | 349 | 619 | 2026-02-03 19:44:09.099671+00:00 | 2026-02-03 20:20:40.706782+00:00 |
| 165.245.130.136 | 306 | 355 | 635 | 2026-02-04 14:04:31.731887+00:00 | 2026-02-04 14:41:40.932623+00:00 |
| 134.199.197.120 | 306 | 348 | 614 | 2026-02-04 08:30:15.128068+00:00 | 2026-02-04 09:08:35.532765+00:00 |
| 165.245.129.153 | 305 | 353 | 633 | 2026-02-02 14:14:28.646081+00:00 | 2026-02-02 14:53:04.404112+00:00 |
| 165.245.132.139 | 302 | 337 | 598 | 2026-02-04 11:48:08.115591+00:00 | 2026-02-04 12:26:02.928852+00:00 |
| 129.212.185.243 | 109 | 79 | 130 | 2026-02-04 20:55:53.686368+00:00 | 2026-02-04 21:03:12.849756+00:00 |
| 203.171.29.193 | 80 | 181 | 238 | 2026-02-04 07:05:47.279038+00:00 | 2026-02-04 07:55:58.423036+00:00 |
| 66.181.171.136 | 77 | 156 | 335 | 2026-02-02 03:24:25.860266+00:00 | 2026-02-02 04:19:55.106711+00:00 |
| 64.23.137.202 | 66 | 66 | 112 | 2026-02-02 10:01:10.13704+00:00 | 2026-02-02 14:14:00.472314+00:00 |
| 62.173.38.229 | 31 | 25 | 88 | 2026-02-04 12:26:45.747323+00:00 | 2026-02-04 12:54:57.831915+00:00 |
| 81.192.46.45 | 30 | 24 | 83 | 2026-02-02 02:00:29.720986+00:00 | 2026-02-02 02:22:06.456311+00:00 |
| 123.58.209.224 | 30 | 22 | 81 | 2026-02-04 12:28:22.768033+00:00 | 2026-02-04 12:54:38.913057+00:00 |
| 181.104.58.194 | 28 | 22 | 77 | 2026-02-04 12:26:17.843054+00:00 | 2026-02-04 12:54:06.356229+00:00 |
| 167.71.5.127 | 25 | 56 | 117 | 2026-02-03 16:54:59.922901+00:00 | 2026-02-03 18:29:53.764482+00:00 |
| 142.93.231.197 | 25 | 56 | 156 | 2026-02-03 21:09:33.224774+00:00 | 2026-02-03 22:26:39.847121+00:00 |
| 2.57.122.210 | 21 | 35 | 51 | 2026-02-02 14:16:41.728982+00:00 | 2026-02-02 16:20:20.708798+00:00 |
| 174.138.0.114 | 18 | 117 | 230 | 2026-02-02 07:44:19.724551+00:00 | 2026-02-02 09:54:18.741874+00:00 |
| 2.57.122.209 | 17 | 36 | 106 | 2026-02-03 04:09:31.754075+00:00 | 2026-02-03 15:39:22.095018+00:00 |
| 14.103.111.167 | 17 | 13 | 48 | 2026-02-04 16:44:12.110181+00:00 | 2026-02-04 16:50:58.996155+00:00 |
Authmethods by Credential
SELECT
u.username,
p.password,
GROUP_CONCAT(DISTINCT am.method_name) as auth_methods,
COUNT(sce.id) as attempt_count
FROM ssh_connection_events sce
JOIN usernames u ON sce.username_id = u.id
JOIN passwords p ON sce.password_id = p.id
LEFT JOIN ssh_event_auth_methods seam ON sce.id = seam.event_id
LEFT JOIN auth_methods am ON seam.auth_method_id = am.id
GROUP BY u.username, p.password
ORDER BY attempt_count DESC
LIMIT 20;
| username | password | auth_methods | attempt_count |
| 0 | 0 | AUTH_METHOD_PASSWORD | 1421 |
| 345gs5662d34 | 345gs5662d34 | AUTH_METHOD_PASSWORD | 569 |
| admin | admin | AUTH_METHOD_PASSWORD | 59 |
| root | password | AUTH_METHOD_PASSWORD,AUTH_METHOD_KEYBOARD_INTERACTIVE | 58 |
| admin | password | AUTH_METHOD_PASSWORD | 54 |
| root | admin | AUTH_METHOD_PASSWORD | 50 |
| user | user | AUTH_METHOD_PASSWORD | 48 |
| root | root | AUTH_METHOD_PASSWORD,AUTH_METHOD_KEYBOARD_INTERACTIVE | 46 |
| admin | 1234 | AUTH_METHOD_PASSWORD | 44 |
| ubuntu | ubuntu | AUTH_METHOD_PASSWORD | 43 |
| root | qwerty | AUTH_METHOD_PASSWORD | 39 |
| root | root123 | AUTH_METHOD_PASSWORD | 39 |
| solana | solana | AUTH_METHOD_PASSWORD | 37 |
| root | 1234 | AUTH_METHOD_PASSWORD | 35 |
| root | 12345 | AUTH_METHOD_PASSWORD | 34 |
| root | 123456 | AUTH_METHOD_PASSWORD | 34 |
| root | 123456789 | AUTH_METHOD_PASSWORD | 33 |
| root | 111111 | AUTH_METHOD_PASSWORD | 32 |
| test | test | AUTH_METHOD_PASSWORD | 32 |
| admin | 123456 | AUTH_METHOD_PASSWORD | 31 |
Spray vs. Stuffing
SELECT
ip.address,
COUNT(DISTINCT sce.username_id) as unique_usernames,
COUNT(DISTINCT sce.password_id) as unique_passwords,
COUNT(sce.id) as total_attempts,
CASE
WHEN COUNT(DISTINCT sce.username_id) > COUNT(DISTINCT sce.password_id) * 3 THEN 'Credential Spray'
WHEN COUNT(DISTINCT sce.password_id) > COUNT(DISTINCT sce.username_id) * 3 THEN 'Brute Force'
ELSE 'Mixed/Stuffing'
END as attack_type
FROM ssh_connection_events sce
JOIN ip_addresses ip ON sce.source_ip_id = ip.id
GROUP BY ip.address
HAVING total_attempts > 10
ORDER BY total_attempts DESC
LIMIT 30;
| address | unique_usernames | unique_passwords | total_attempts | attack_type |
| 159.89.53.54 | 1 | 2763 | 2772 | Brute Force |
| 91.92.241.148 | 1 | 1 | 1376 | Mixed/Stuffing |
| 165.245.143.57 | 307 | 358 | 638 | Mixed/Stuffing |
| 165.245.130.136 | 306 | 355 | 635 | Mixed/Stuffing |
| 165.245.129.153 | 305 | 353 | 633 | Mixed/Stuffing |
| 129.212.178.237 | 307 | 349 | 619 | Mixed/Stuffing |
| 134.199.197.120 | 306 | 348 | 614 | Mixed/Stuffing |
| 165.245.132.139 | 302 | 337 | 598 | Mixed/Stuffing |
| 66.181.171.136 | 77 | 156 | 335 | Mixed/Stuffing |
| 209.38.43.166 | 7 | 136 | 300 | Brute Force |
| 206.189.0.205 | 16 | 43 | 255 | Mixed/Stuffing |
| 167.172.35.91 | 15 | 44 | 242 | Mixed/Stuffing |
| 203.171.29.193 | 80 | 181 | 238 | Mixed/Stuffing |
| 174.138.0.114 | 18 | 117 | 230 | Brute Force |
| 164.92.214.17 | 5 | 107 | 208 | Brute Force |
| 104.248.195.217 | 9 | 29 | 206 | Brute Force |
| 142.93.238.129 | 16 | 48 | 204 | Mixed/Stuffing |
| 167.71.11.243 | 6 | 31 | 168 | Brute Force |
| 45.148.10.121 | 6 | 11 | 163 | Mixed/Stuffing |
| 142.93.231.197 | 25 | 56 | 156 | Mixed/Stuffing |
| 178.128.244.152 | 9 | 33 | 150 | Brute Force |
| 188.166.89.214 | 8 | 53 | 143 | Brute Force |
| 178.62.211.153 | 8 | 32 | 131 | Brute Force |
| 129.212.185.243 | 109 | 79 | 130 | Mixed/Stuffing |
| 157.245.70.9 | 4 | 89 | 129 | Brute Force |
| 2.57.122.208 | 12 | 19 | 123 | Mixed/Stuffing |
| 167.71.5.127 | 25 | 56 | 117 | Mixed/Stuffing |
| 161.35.84.94 | 3 | 77 | 116 | Brute Force |
| 188.166.65.100 | 10 | 70 | 115 | Brute Force |
| 64.23.137.202 | 66 | 66 | 112 | Mixed/Stuffing |
Client by HASSH
SELECT DISTINCT
scn.value AS ssh_client_name,
hsf.fingerprint AS hassh_fingerprint
FROM ssh_connection_events sce
JOIN ssh_client_names scn ON
sce.ssh_client_name_id = scn.id
JOIN ha_ssh_fingerprints hsf ON
sce.ha_ssh_fingerprint_id = hsf.id
WHERE sce.ssh_client_name_id IS NOT NULL
ORDER BY ssh_client_name;
| ssh_client_name | hassh_fingerprint |
| SSH-2.0-AsyncSSH_2.1.0 | fda360b1b4f4d3455cb75c6e7edb1d11 |
| SSH-2.0-Go | 2ec37a7cc8daf20b10e1ad6221061ca5 |
| SSH-2.0-Go | 4e066189c3bbeec38c99b1855113733a |
| SSH-2.0-Go | 16443846184eafde36765c9bab2f4397 |
| SSH-2.0-Go | 98ddc5604ef6a1006a2b49a58759fbe6 |
| SSH-2.0-Go | 0a07365cc01fa9fc82608ba4019af499 |
| SSH-2.0-Go | 5f904648ee8964bef0e8834012e26003 |
| SSH-2.0-Go | f1e5e9d24e5e345e8745613bde22d532 |
| SSH-2.0-Go | bf7dbf67fa9b26ee9f9deb99c49320ba |
| SSH-2.0-Go | 98f63c4d9c87edbd97ed4747fa031019 |
| SSH-2.0-Go | 01ca35584ad5a1b66cf6a9846b5b2821 |
| SSH-2.0-Go | 1507069938cc303a0479feda273ec02c |
| SSH-2.0-OpenSSH | 88e4f54f942892da498676735732aec7 |
| SSH-2.0-OpenSSH_10.0 | c118de82e19e5384f50f9bfd36c1a5dc |
| SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2 | ec7378c1a92f5a8dde7e8b7a1ddf33d1 |
| SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1 | ec7378c1a92f5a8dde7e8b7a1ddf33d1 |
| SSH-2.0-OpenSSH_8.4p1 Debian-5 | ae8bd7dd09970555aa4c6ed22adbbf56 |
| SSH-2.0-OpenSSH_8.9p19 | 98f63c4d9c87edbd97ed4747fa031019 |
| SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.14 | aae6b9604f6f3356543709a376d7f657 |
| SSH-2.0-OpenSSH_9.9 | 1cc79c7da9b5d5eead2c60983332a556 |
| SSH-2.0-PUTTY | 57446c12547a668110aa237e5965e374 |
| SSH-2.0-PuTTY_Release_0.83 | 4a3e3c55af41b23589ff4c9d6aee4404 |
| SSH-2.0-Renci.SshNet.SshClient.2025.1.0 | d055c93eb832f05741824c5d6eeb7251 |
| SSH-2.0-libssh2_1.11.0 | 44ac1859818d6cacfb48ec9cb230b3f0 |
| SSH-2.0-libssh2_1.11.1 | 19532158b559096b89b1a5f7d17175b2 |
| SSH-2.0-libssh2_1.11.1 | f45fb203c31069bb280067b71ed92ccb |
| SSH-2.0-libssh2_1.11.1 | 57e4cc8ee36c3d78f75c6a05acd55963 |
| SSH-2.0-libssh2_1.9.0 | 57446c12547a668110aa237e5965e374 |
| SSH-2.0-libssh_0.11.1 | 03a80b21afa810682a776a7d42e5e6fb |
| SSH-2.0-libssh_0.11.1 | 04f9d9fca3a978a7c079aa3379fd21d6 |
| SSH-2.0-libssh_0.11.1 | 713bd9cc935561939c02dad25af2d3de |
| SSH-2.0-libssh_0.11.1 | a37561952f836bcafd479cf44ccf6d52 |
| SSH-2.0-libssh_0.11.1 | e13ba222a14b8b916c6c32f9fd6aec5d |
| SSH-2.0-libssh_0.11.2 | 4ed0d5b0dc3be39c7f96ba3a3cc77895 |
| SSH-2.0-libssh_0.9.5 | 742ee33575d0ff88acd63dcc5529bb46 |
| SSH-2.0-libssh_0.9.6 | f555226df1963d1d3c09daf865abdc9a |
| SSH-2.0-libssh_0.9.6 | 8c95e28f1643c38e5d64511b4d499e94 |
| SSH-2.0-paramiko_3.5.1 | a2de0f306611e0957be704f5b0e35a82 |
| SSH-2.0-paramiko_4.0.0 | a2de0f306611e0957be704f5b0e35a82 |
| SSH-2.0-russh_0.51.1 | 1b8acd46a07d2dc9854db9ec4044c45c |