Every server with port 22 open gets hammered by bots trying to brute-force SSH. I built a honeypot that accepts every connection, records the credentials they try, and displays it all on a live dashboard with a 3D globe.
Some fun things you'll notice:
- Bots try the same passwords everywhere — "admin", "123456", "password" are the classics. Yes, you'll see the Spaceballs password in the top 10.
- Certain countries and ISPs dominate the leaderboards
- Attacks come in waves — sometimes nothing for a minute, then a burst of 50 from one IP cycling through a wordlist
- There's a knock-knock joke panel because I couldn't resist
Originally inspired by my kids asking "who keeps trying to log into your computer?" when they saw me tailing SSH logs.
The stack is Python (FastAPI + paramiko for the honeypot), Redis pub/sub for real-time updates, SQLite for stats, and globe.gl for the visualization. WebSocket pushes every knock to your browser as it happens.
The whole thing runs on a $6.75/year VPS. The domain costs more than the server.
This is neat. What VPS service do you use? I am trying to replace my tendency to spin up small EC2 instances just to deploy a simple web app.
djkurlander 2 hours ago [-]
My $6.75 per year VPS was a Black Friday sale from Dedirock on https://lowendtalk.com. Some of the Black Friday sales are still being honored. The site https://cheapvpsbox.com/ has a nice search engine for cheap VPS sales.
mmarian 2 hours ago [-]
> who keeps trying to log into your computer?
I'm curious, how do you think this helps you answer the question? Proxies are incredibly easy to come by these days, rotation makes it hard to identify what's behind it all.
djkurlander 1 hours ago [-]
That’s a valid point. We can easily see where the attack is coming from but not who or which botnet. Some of these can be inferred by the pattern of usernames and passwords attempted, and the ISPs. Someone suggested that I collect the client SSH signature as well, which would help. But you’re right, we don’t know who is behind the attacks.
prox 42 minutes ago [-]
I saw an ISP called Microsoft, USA… is that an official microsoft computer doing that or something else?
djkurlander 36 minutes ago [-]
Yes, Microsoft shows up a lot. Some of these bots are running on Azure.
My favorite ISP to spot occasionally is SpaceX / Starlink. That can’t be the most economical ISP for bot traffic, but machines can be infected, even on Starlink.
mmarian 1 hours ago [-]
I'm guessing the SSH signatures can rotate as well. I remember someone did an analysis of rotation patterns for HTTPS requests; that's when they saw some interesting clusters.
Bender 5 hours ago [-]
Very nice! I am looking forward to many people running this. Perhaps people could add their URL in a ./contrib directory or something to that effect? I might set this up when I get back from the feed store.
djkurlander 5 hours ago [-]
Nice idea. The original VPS is in Los Angeles, but I installed the app more recently on VPS's in London, Tokyo, and Amsterdam. I've been noticing some interesting regional differences, but it may just be smaller sample of knocks for those sites so far. I'll set up that contrib directory so that we can share our dashboards. I would be interested in looking at others' dashboards to suss out patterns.
orojackson 2 hours ago [-]
Side question: which cheap VPS are you using in Los Angeles? Looking to get one in the Southern California area.
djkurlander 2 hours ago [-]
My $6.75 per year vps was a Dedirock Black Friday sale that I found https://lowendtalk.com. https://cheapvpsbox.com/ reports several nice Los Angeles sales still going on from various providers. My London, Tokyo, and Amsterdam VPSs are holiday sales from RareCloud and Racknerd - all less than $19/year.
djkurlander 4 hours ago [-]
contrib directory added!
tamimio 41 minutes ago [-]
Awesome, I loved it thanks for sharing it.
And I remember more than a decade ago I went down the rabbit hole hunting these bots and indeed, I found Netherlands was always the king of hill when it comes to bots, followed by US, Netherlands still there I see.
djkurlander 29 minutes ago [-]
Some things never change.
One of my favorite visualizations for this is to switch to the globe view and choose the “HEAT” style for a 3D heatmap superimposed on the globe. Green means few hits, and red signifies lots of hits.
The Netherlands is so small that it’s tough to see though!
czbond 3 hours ago [-]
Well done, OP.
jwkerr 2 hours ago [-]
This is very interesting to me, would most of these bots be running on servers that have already been compromised? If that's the case, is the Netherlands/Digital Ocean the most common combo as it's what most normal people use, or is there some other reason bots favour it?
djkurlander 2 hours ago [-]
Many/most of these are servers that have been compromised. DigitalOcean is certainly one of the biggest ISPs/providers; however, I’m betting that if you looked at ratio of knocks per ASN IPs registered, DigitalOcean would still be at the top. I’ll look into that.
Providers can shut down abusive IPs. I run a script every night to report attacks to abuseIPDB.com (included in the extras folder on the knock-knock GitHub repository). Some providers just don’t care.
6031769 2 hours ago [-]
> Some providers just don’t care.
And they should be shunned by everyone. We should all be naming and shaming such providers and those of us with any conscience at all will avoid using them. This is the only way to stop the tsunami of bad actors.
arjie 48 minutes ago [-]
Very fun site. Cool idea indeed. I think it's a neat piece of art. I wish I could scroll sideways, though. The page got cut off for me.
djkurlander 39 minutes ago [-]
If you are on the desktop, you should be able to scroll sideways either by choosing a menu icon at the top, or by clicking on a panel (which will rotate the panels to the left). On the phone you can visit a panel by choosing the icon from the rotating carousel at the bottom, or by swiping the panels to the left or right.
3 hours ago [-]
Rendered at 22:20:57 GMT+0000 (Coordinated Universal Time) with Vercel.
site: https://knock-knock.net
Every server with port 22 open gets hammered by bots trying to brute-force SSH. I built a honeypot that accepts every connection, records the credentials they try, and displays it all on a live dashboard with a 3D globe.
Some fun things you'll notice:
- Bots try the same passwords everywhere — "admin", "123456", "password" are the classics. Yes, you'll see the Spaceballs password in the top 10.
- Certain countries and ISPs dominate the leaderboards
- Attacks come in waves — sometimes nothing for a minute, then a burst of 50 from one IP cycling through a wordlist
- There's a knock-knock joke panel because I couldn't resist
Originally inspired by my kids asking "who keeps trying to log into your computer?" when they saw me tailing SSH logs.
The stack is Python (FastAPI + paramiko for the honeypot), Redis pub/sub for real-time updates, SQLite for stats, and globe.gl for the visualization. WebSocket pushes every knock to your browser as it happens.
The whole thing runs on a $6.75/year VPS. The domain costs more than the server.
Source: https://github.com/djkurlander/knock-knock
I'm curious, how do you think this helps you answer the question? Proxies are incredibly easy to come by these days, rotation makes it hard to identify what's behind it all.
My favorite ISP to spot occasionally is SpaceX / Starlink. That can’t be the most economical ISP for bot traffic, but machines can be infected, even on Starlink.
And I remember more than a decade ago I went down the rabbit hole hunting these bots and indeed, I found Netherlands was always the king of hill when it comes to bots, followed by US, Netherlands still there I see.
One of my favorite visualizations for this is to switch to the globe view and choose the “HEAT” style for a 3D heatmap superimposed on the globe. Green means few hits, and red signifies lots of hits. The Netherlands is so small that it’s tough to see though!
Providers can shut down abusive IPs. I run a script every night to report attacks to abuseIPDB.com (included in the extras folder on the knock-knock GitHub repository). Some providers just don’t care.
And they should be shunned by everyone. We should all be naming and shaming such providers and those of us with any conscience at all will avoid using them. This is the only way to stop the tsunami of bad actors.