Comment by djkurlander
12 days ago
OP here.
site: https://knock-knock.net
Every server with port 22 open gets hammered by bots trying to brute-force SSH. I built a honeypot that accepts every connection, records the credentials they try, and displays it all on a live dashboard with a 3D globe.
Some fun things you'll notice:
- Bots try the same passwords everywhere — "admin", "123456", "password" are the classics. Yes, you'll see the Spaceballs password in the top 10.
- Certain countries and ISPs dominate the leaderboards
- Attacks come in waves — sometimes nothing for a minute, then a burst of 50 from one IP cycling through a wordlist
- There's a knock-knock joke panel because I couldn't resist
Originally inspired by my kids asking "who keeps trying to log into your computer?" when they saw me tailing SSH logs.
The stack is Python (FastAPI + paramiko for the honeypot), Redis pub/sub for real-time updates, SQLite for stats, and globe.gl for the visualization. WebSocket pushes every knock to your browser as it happens.
The whole thing runs on a $6.75/year VPS. The domain costs more than the server.
This is neat. What VPS service do you use? I am trying to replace my tendency to spin up small EC2 instances just to deploy a simple web app.
My $6.75 per year VPS was a Black Friday sale from Dedirock on https://lowendtalk.com. Some of the Black Friday sales are still being honored. The site https://cheapvpsbox.com/ has a nice search engine for cheap VPS sales.
Note: just be sure to have some sort of backup solution because when a deal seems to be too good to be true, sometimes the company will go under.
I had that happen years ago, consequently it meant my first ever VPS disappearing.
I think the deal back then was like 15 EUR per year.
Scaleway has small instances (Stardust) btw: https://www.scaleway.com/en/pricing/virtual-instances/
They seem expensive otherwise so I’d go with Hetzner for most other stuff. Heck I’ve even used Contabo too (they don’t have the best reputation, but it worked out okay for me).
I recommend a dedicated $40 hetzner or OVH box and just keep all your projects on that. They're pretty powerful. I was spending a lot on a bunch of $5 linodes until recently and you have to keep them upgraded etc...
how deep are your WebApps? Cloudflare pages and workers have a generous free tier, depending on what you're doing.
Awesome, I loved it thanks for sharing it.
And I remember more than a decade ago I went down the rabbit hole hunting these bots and indeed, I found Netherlands was always the king of hill when it comes to bots, followed by US, Netherlands still there I see.
Some things never change.
One of my favorite visualizations for this is to switch to the globe view and choose the “HEAT” style for a 3D heatmap superimposed on the globe. Green means few hits, and red signifies lots of hits. The Netherlands is so small that it’s tough to see though!
Very nice! I am looking forward to many people running this. Perhaps people could add their URL in a ./contrib directory or something to that effect? I might set this up when I get back from the feed store.
Nice idea. The original VPS is in Los Angeles, but I installed the app more recently on VPS's in London, Tokyo, and Amsterdam. I've been noticing some interesting regional differences, but it may just be smaller sample of knocks for those sites so far. I'll set up that contrib directory so that we can share our dashboards. I would be interested in looking at others' dashboards to suss out patterns.
Side question: which cheap VPS are you using in Los Angeles? Looking to get one in the Southern California area.
3 replies →
contrib directory added!
Do you have any insight on SSH servers that only allow login with public key authentication? Do bots leave immediately when they see that they can't use passwords?
If the bot sees no login / password sequence, there’s no way for it to brute force credentials. If the server only takes ssh keys, that will cause an immediate disconnect. Which is why this setting is best practice when setting up a server when practical: PasswordAuthentication no.
I wish this would be the default. I expose my homelab port 22 directly to the internet. I'm _pretty_ sure I always always always disable password auth but I do worry about it because most distros have an unsafe default.
(A lot of this risk is mitigated by not having login passwords but I definitely have one node where I have a login password, it's an old laptop so I thought I might want to physically log in for local debugging).
I guess the ideal solution here is to run a prober service that attempts logins and alerts if it gets any responses that smell password auth is possible. But no way I have time to set that up.
4 replies →
In the 2000s I had a service with a couple of million registered users and plaintext passwords. One day a couple of us ran a SQL script to group and order all the passwords. The top ones are what you would expect, 12345678, Password, etc. One of the top three was "trustno1", though. The X-Files was probably still running on TV at the time.
Cool project
But also wanted to let you know about
https://objective-see.org/products/knockknock.html
And knockd: https://wiki.archlinux.org/title/Port_knocking
Common name in case you wanted to differentiate yourself a bit
I was aware of port knocking, but not the Mac malware scanner with the similar name. Good to know!
You probably also know of Netbird -- open-source zero-trust VPN.
Personally, I shall some day find the patience to code and test a poor man's zero-trust -- app/site knocking + firewall whitelist.
Beautiful. Have you considered adding a "replay certain timeline" feature so that users get the feel of the throughput and emergence much like Gource [1] did for git?
[1] https://gource.io/
Hadn’t considered it, but that’s a nice idea. All of the necessary info, with time stamps, is already recorded in a SQL database, so it wouldn’t be difficult to replay events.
> who keeps trying to log into your computer?
I'm curious, how do you think this helps you answer the question? Proxies are incredibly easy to come by these days, rotation makes it hard to identify what's behind it all.
That’s a valid point. We can easily see where the attack is coming from but not who or which botnet. Some of these can be inferred by the pattern of usernames and passwords attempted, and the ISPs. Someone suggested that I collect the client SSH signature as well, which would help. But you’re right, we don’t know who is behind the attacks.
I'm guessing the SSH signatures can rotate as well. I remember someone did an analysis of rotation patterns for HTTPS requests; that's when they saw some interesting clusters.
I saw an ISP called Microsoft, USA… is that an official microsoft computer doing that or something else?
2 replies →
Well done, OP.
Wow that's fucking beautiful, man. That's beautiful. Wow, I love that!
What $6.75/year VPS do you have?
Was gonna ask the same question. nearlyfreespeech perhaps? They're quite cheap. Haven't seen any other providers at a similar price point.
They answer it down in the thread I found. https://cheapvpsbox.com/