I was checking the security logs on one of my servers as I often do and noticed attempts to log into SSH using a curious username. My servers are all set up to authenticate using key-based credentials only, so none of these attempts threaten my infrastructure, but I like to have a look to see what the bad guys are up to. root and admin are common usernames to find in /var/log/auth.log, but I hadn't seen ubnt before.

Attempts to log in with ubnt user from several different source IP's

Numerous login attempts using the username ubnt from many different source IP Addresses typically means many different users or automated tools are scanning systems visible on the Internet for that username. I was curious, so I Googled ubnt and found that it is a default username with a default password for Ubiquiti UniFi devices.

Looking a little further, it appears UniFi may apply to a range of products by Ubiquiti.

Ubiquiti UniFi Network Management Controller
UniFi Login Page

It seems that, if you set up with the wizard, you're forced to enter a password, but until you do this, the username is set to ubnt with a password of ubnt. Not very secure!

UniFi's ubnt / ubnt credentials are used for SSH access unless changed

My assumption is, with all these scans for the ubnt user, the bad guys are finding many devices with default credentials exposed to the Internet.

If you have anything that uses UniFi, be sure to set it up securely and change those default credentials!

[update] Continuing to search around about this some more, I came across this post in Ubiquiti's forum about deleting this username.

Ubiquiti forum post recommending removal of this account

It seems people aren't getting the message. I'm not sure what the solution is, but it would be good if the device were unusable until credentials are entered by the owner I think.