I was checking the security logs on one of my servers as I often do and noticed attempts to log into SSH using a curious username. My servers are all set up to authenticate using key-based credentials only, so none of these attempts threaten my infrastructure, but I like to have a look to see what the bad guys are up to. root and admin are common usernames to find in /var/log/auth.log, but I hadn't seen ubnt before.
Numerous login attempts using the username ubnt from many different source IP Addresses typically means many different users or automated tools are scanning systems visible on the Internet for that username. I was curious, so I Googled ubnt and found that it is a default username with a default password for Ubiquiti UniFi devices.
Looking a little further, it appears UniFi may apply to a range of products by Ubiquiti.
It seems that, if you set up with the wizard, you're forced to enter a password, but until you do this, the username is set to ubnt with a password of ubnt. Not very secure!
My assumption is, with all these scans for the ubnt user, the bad guys are finding many devices with default credentials exposed to the Internet.
If you have anything that uses UniFi, be sure to set it up securely and change those default credentials!
[update] Continuing to search around about this some more, I came across this post in Ubiquiti's forum about deleting this username.
It seems people aren't getting the message. I'm not sure what the solution is, but it would be good if the device were unusable until credentials are entered by the owner I think.