OP here.<p>site: <a href="https://knock-knock.net" rel="nofollow">https://knock-knock.net</a><p>Every server with port 22 open gets hammered by bots trying to brute-force SSH. I built a honeypot that accepts every connection, records the credentials they try, and displays it all on a live dashboard with a 3D globe.<p>Some fun things you'll notice:<p>- Bots try the same passwords everywhere — "admin", "123456", "password" are the classics. Yes, you'll see the Spaceballs password in the top 10.<p>- Certain countries and ISPs dominate the leaderboards<p>- Attacks come in waves — sometimes nothing for a minute, then a burst of 50 from one IP cycling through a wordlist<p>- There's a knock-knock joke panel because I couldn't resist<p>Originally inspired by my kids asking "who keeps trying to log into your computer?" when they saw me tailing SSH logs.<p>The stack is Python (FastAPI + paramiko for the honeypot), Redis pub/sub for real-time updates, SQLite for stats, and globe.gl for the visualization. WebSocket pushes every knock to your browser as it happens.<p>The whole thing runs on a $6.75/year VPS. The domain costs more than the server.<p>Source: <a href="https://github.com/djkurlander/knock-knock" rel="nofollow">https://github.com/djkurlander/knock-knock</a>
This is neat. What VPS service do you use? I am trying to replace my tendency to spin up small EC2 instances just to deploy a simple web app.
> who keeps trying to log into your computer?<p>I'm curious, how do you think this helps you answer the question? Proxies are incredibly easy to come by these days, rotation makes it hard to identify what's behind it all.
That’s a valid point. We can easily see where the attack is coming from but not who or which botnet. Some of these can be inferred by the pattern of usernames and passwords attempted, and the ISPs. Someone suggested that I collect the client SSH signature as well, which would help. But you’re right, we don’t know who is behind the attacks.
I saw an ISP called Microsoft, USA… is that an official microsoft computer doing that or something else?
Yes, Microsoft shows up a lot. Some of these bots are running on Azure.<p>My favorite ISP to spot occasionally is SpaceX / Starlink. That can’t be the most economical ISP for bot traffic, but machines can be infected, even on Starlink.
I'm guessing the SSH signatures can rotate as well. I remember someone did an analysis of rotation patterns for HTTPS requests; that's when they saw some interesting clusters.
Awesome, I loved it thanks for sharing it.<p>And I remember more than a decade ago I went down the rabbit hole hunting these bots and indeed, I found Netherlands was always the king of hill when it comes to bots, followed by US, Netherlands still there I see.
Very nice! I am looking forward to many people running this. Perhaps people could add their URL in a ./contrib directory or something to that effect? I might set this up when I get back from the feed store.
Nice idea. The original VPS is in Los Angeles, but I installed the app more recently on VPS's in London, Tokyo, and Amsterdam. I've been noticing some interesting regional differences, but it may just be smaller sample of knocks for those sites so far. I'll set up that contrib directory so that we can share our dashboards. I would be interested in looking at others' dashboards to suss out patterns.
Well done, OP.