Note: As I was writing this I became aware of an even better project covering much the same ground in a more detailed way - I Left Port 22 Open on the Internet for 54 Days by Arman Hossain is much more informative.
The server that runs this website is locked down pretty tightly. No extra services running, all ports firewalled except those absolutely required, and (perhaps most importantly) SSH is configured to disable password authentication. It is impossible for users to log on without the private key but that doesn't stop the script kiddies from trying.
Every server on the internet is constantly under attack by bots trying common username/passwords to gain access for nefarious ends. I got curious about what usernames the hackers were trying to use. After all, they wouldn't try them if they didn't occasionally work.
In the last 7 days there have been almost 500 attempts to log in - this would be many, many times higher but I aggressively fail2ban any IP address that fails more than a couple of times. Currently my fail2ban blocklist contains over 100 addresses.
Here are some of the notable usernames tried:
sheep (169 attempts) - this is actually somewhat clever, I assume that the script takes the first subdomain of whatever server it is trying to hit. It doesn't work with sheep.horse but wouldn't be a terrible place to start on app.example.com.
admin (52 attempts), user (20 attempts), test (7 attempts), guest (2) - the old standbys. I assume root would be even higher but I disable the root user entirely on my server so it doesn't show up on this list.
ubuntu (30 attempts) - I am actually running Ubuntu which they can probably see from the http headers so this isn't a terrible guess.
frappe (7), postgres (7), odoo (4), oracle (4), jenkins (2), apache (2), mysql (1) - these are all attacks on well-known enterprise software packages. Not a bad list if you are looking for badly installed software with weak passwords since people often quickly stand up such services for testing without much thought.
pi (2), orangepi (1) - there are probably a bunch of poorly configured raspberry Pi's making for easy, if low-powered pickings. It just goes to show that there is no minimum reward below which people will not bother to be dicks on the internet.
stephen, nina, lee, vincent, rico (1 each) - Damn it, guys. I've told you your passwords are too easy to guess, now you are all on some hacker list.
The moral of the story is to turn off password authentication if you can, always use a strong password even on test or throwaway services, and don't be shy about banning based on suspicious SSH authentication attempts using fail2ban or something similar.