OP here.
site: https://knock-knock.net
Every server with port 22 open gets hammered by bots trying to brute-force SSH. I built a honeypot that accepts every connection, records the credentials they try, and displays it all on a live dashboard with a 3D globe.
Some fun things you'll notice:
- Bots try the same passwords everywhere — "admin", "123456", "password" are the classics. Yes, you'll see the Spaceballs password in the top 10.
- Certain countries and ISPs dominate the leaderboards
- Attacks come in waves — sometimes nothing for a minute, then a burst of 50 from one IP cycling through a wordlist
- There's a knock-knock joke panel because I couldn't resist
Originally inspired by my kids asking "who keeps trying to log into your computer?" when they saw me tailing SSH logs.
The stack is Python (FastAPI + paramiko for the honeypot), Redis pub/sub for real-time updates, SQLite for stats, and globe.gl for the visualization. WebSocket pushes every knock to your browser as it happens.
The whole thing runs on a $6.75/year VPS. The domain costs more than the server.
This is neat. What VPS service do you use? I am trying to replace my tendency to spin up small EC2 instances just to deploy a simple web app.
My $6.75 per year VPS was a Black Friday sale from Dedirock on https://lowendtalk.com. Some of the Black Friday sales are still being honored. The site https://cheapvpsbox.com/ has a nice search engine for cheap VPS sales.
Note: just be sure to have some sort of backup solution because when a deal seems to be too good to be true, sometimes the company will go under.
I had that happen years ago, consequently it meant my first ever VPS disappearing.
I think the deal back then was like 15 EUR per year.
Scaleway has small instances (Stardust) btw: https://www.scaleway.com/en/pricing/virtual-instances/
They seem expensive otherwise so I’d go with Hetzner for most other stuff. Heck I’ve even used Contabo too (they don’t have the best reputation, but it worked out okay for me).
I recommend a dedicated $40 hetzner or OVH box and just keep all your projects on that. They're pretty powerful. I was spending a lot on a bunch of $5 linodes until recently and you have to keep them upgraded etc...
how deep are your WebApps? Cloudflare pages and workers have a generous free tier, depending on what you're doing.
Awesome, I loved it thanks for sharing it.
And I remember more than a decade ago I went down the rabbit hole hunting these bots and indeed, I found Netherlands was always the king of hill when it comes to bots, followed by US, Netherlands still there I see.
Some things never change.
One of my favorite visualizations for this is to switch to the globe view and choose the “HEAT” style for a 3D heatmap superimposed on the globe. Green means few hits, and red signifies lots of hits. The Netherlands is so small that it’s tough to see though!
Very nice! I am looking forward to many people running this. Perhaps people could add their URL in a ./contrib directory or something to that effect? I might set this up when I get back from the feed store.
Nice idea. The original VPS is in Los Angeles, but I installed the app more recently on VPS's in London, Tokyo, and Amsterdam. I've been noticing some interesting regional differences, but it may just be smaller sample of knocks for those sites so far. I'll set up that contrib directory so that we can share our dashboards. I would be interested in looking at others' dashboards to suss out patterns.
Side question: which cheap VPS are you using in Los Angeles? Looking to get one in the Southern California area.
My $6.75 per year vps was a Dedirock Black Friday sale that I found https://lowendtalk.com. https://cheapvpsbox.com/ reports several nice Los Angeles sales still going on from various providers. My London, Tokyo, and Amsterdam VPSs are holiday sales from RareCloud and Racknerd - all less than $19/year.
Before I saw this comment I was curious and used dig+ARIN to look up the IPs and saw they were at Cloudflare. Given how rapidly the data changes and that the updates are via Websockets, do you get benefits from them serving assets, or is that to obscure the origin so it doesn't get extra attention, skewing the results? Cool project!
Good observation. I am using a Cloudflare orange cloud proxy to hide the IP address. I’m also blocking direct access to my web server by IP addresses to make it that much more difficult to associate the IP address with my domain. Most people installing knock-knock probably won’t care, but I figured that this would be worthwhile for the “official” server. Instructions for setting this up are in the extras/ufw-cloudflare directory of the repo. Yes, there are other ways to track down the IP address, but they are a lot harder.
By the way, I noticed that the bots were guessing usernames like “knock-knock” before blocking direct IP access to the web site. Looking at the other passwords guessed, I realized they were extracting words from the title of the index.html! So it’s all about masking the server’s identity - I’m not really getting other benefits out of Cloudflare.
contrib directory added!
Do you have any insight on SSH servers that only allow login with public key authentication? Do bots leave immediately when they see that they can't use passwords?
If the bot sees no login / password sequence, there’s no way for it to brute force credentials. If the server only takes ssh keys, that will cause an immediate disconnect. Which is why this setting is best practice when setting up a server when practical: PasswordAuthentication no.
I wish this would be the default. I expose my homelab port 22 directly to the internet. I'm _pretty_ sure I always always always disable password auth but I do worry about it because most distros have an unsafe default.
(A lot of this risk is mitigated by not having login passwords but I definitely have one node where I have a login password, it's an old laptop so I thought I might want to physically log in for local debugging).
I guess the ideal solution here is to run a prober service that attempts logins and alerts if it gets any responses that smell password auth is possible. But no way I have time to set that up.
One way to solve this it to use a configuration management tool (Puppet / Chef / Salt / Ansible etc.). Alternatively, run NixOS. You apply the setting once and then it's applied to all your machines from that point onwards.
I do run NixOS, but it's easy to make mistakes in a complex setup.
[dead]
When you get a "Permission denied (publickey)." if you try to connect to a server which requires a public key for authentication, it causes your 5 lines to wrongly raise an alarm ... you need to adapt your grep.
Cool project
But also wanted to let you know about
https://objective-see.org/products/knockknock.html
And knockd: https://wiki.archlinux.org/title/Port_knocking
Common name in case you wanted to differentiate yourself a bit
I was aware of port knocking, but not the Mac malware scanner with the similar name. Good to know!
You probably also know of Netbird -- open-source zero-trust VPN.
Personally, I shall some day find the patience to code and test a poor man's zero-trust -- app/site knocking + firewall whitelist.
In the 2000s I had a service with a couple of million registered users and plaintext passwords. One day a couple of us ran a SQL script to group and order all the passwords. The top ones are what you would expect, 12345678, Password, etc. One of the top three was "trustno1", though. The X-Files was probably still running on TV at the time.
Beautiful. Have you considered adding a "replay certain timeline" feature so that users get the feel of the throughput and emergence much like Gource [1] did for git?
[1] https://gource.io/
Hadn’t considered it, but that’s a nice idea. All of the necessary info, with time stamps, is already recorded in a SQL database, so it wouldn’t be difficult to replay events.
> who keeps trying to log into your computer?
I'm curious, how do you think this helps you answer the question? Proxies are incredibly easy to come by these days, rotation makes it hard to identify what's behind it all.
That’s a valid point. We can easily see where the attack is coming from but not who or which botnet. Some of these can be inferred by the pattern of usernames and passwords attempted, and the ISPs. Someone suggested that I collect the client SSH signature as well, which would help. But you’re right, we don’t know who is behind the attacks.
I'm guessing the SSH signatures can rotate as well. I remember someone did an analysis of rotation patterns for HTTPS requests; that's when they saw some interesting clusters.
I saw an ISP called Microsoft, USA… is that an official microsoft computer doing that or something else?
Yes, Microsoft shows up a lot. Some of these bots are running on Azure.
My favorite ISP to spot occasionally is SpaceX / Starlink. That can’t be the most economical ISP for bot traffic, but machines can be infected, even on Starlink.
Starlink bot here, but you won't see me because I'm behind a VPN
Well done, OP.
Wow that's fucking beautiful, man. That's beautiful. Wow, I love that!
What $6.75/year VPS do you have?
Was gonna ask the same question. nearlyfreespeech perhaps? They're quite cheap. Haven't seen any other providers at a similar price point.
They answer it down in the thread I found. https://cheapvpsbox.com/