2/15/2026 at 5:06:59 PM
OP here.site: https://knock-knock.net
Every server with port 22 open gets hammered by bots trying to brute-force SSH. I built a honeypot that accepts every connection, records the credentials they try, and displays it all on a live dashboard with a 3D globe.
Some fun things you'll notice:
- Bots try the same passwords everywhere — "admin", "123456", "password" are the classics. Yes, you'll see the Spaceballs password in the top 10.
- Certain countries and ISPs dominate the leaderboards
- Attacks come in waves — sometimes nothing for a minute, then a burst of 50 from one IP cycling through a wordlist
- There's a knock-knock joke panel because I couldn't resist
Originally inspired by my kids asking "who keeps trying to log into your computer?" when they saw me tailing SSH logs.
The stack is Python (FastAPI + paramiko for the honeypot), Redis pub/sub for real-time updates, SQLite for stats, and globe.gl for the visualization. WebSocket pushes every knock to your browser as it happens.
The whole thing runs on a $6.75/year VPS. The domain costs more than the server.
by djkurlander
2/17/2026 at 1:45:55 AM
In the 2000s I had a service with a couple of million registered users and plaintext passwords. One day a couple of us ran a SQL script to group and order all the passwords. The top ones are what you would expect, 12345678, Password, etc. One of the top three was "trustno1", though. The X-Files was probably still running on TV at the time.by qingcharles
2/15/2026 at 8:32:04 PM
This is neat. What VPS service do you use? I am trying to replace my tendency to spin up small EC2 instances just to deploy a simple web app.by tkp-415
2/15/2026 at 8:43:56 PM
My $6.75 per year VPS was a Black Friday sale from Dedirock on https://lowendtalk.com. Some of the Black Friday sales are still being honored. The site https://cheapvpsbox.com/ has a nice search engine for cheap VPS sales.by djkurlander
2/16/2026 at 7:06:31 AM
Note: just be sure to have some sort of backup solution because when a deal seems to be too good to be true, sometimes the company will go under.I had that happen years ago, consequently it meant my first ever VPS disappearing.
I think the deal back then was like 15 EUR per year.
Scaleway has small instances (Stardust) btw: https://www.scaleway.com/en/pricing/virtual-instances/
They seem expensive otherwise so I’d go with Hetzner for most other stuff. Heck I’ve even used Contabo too (they don’t have the best reputation, but it worked out okay for me).
by KronisLV
2/15/2026 at 11:30:44 PM
I recommend a dedicated $40 hetzner or OVH box and just keep all your projects on that. They're pretty powerful. I was spending a lot on a bunch of $5 linodes until recently and you have to keep them upgraded etc...by winrid
2/15/2026 at 11:34:53 PM
how deep are your WebApps? Cloudflare pages and workers have a generous free tier, depending on what you're doing.by fragmede
2/16/2026 at 2:11:00 PM
Beautiful. Have you considered adding a "replay certain timeline" feature so that users get the feel of the throughput and emergence much like Gource [1] did for git?by alexhans
2/16/2026 at 3:25:51 PM
Hadn’t considered it, but that’s a nice idea. All of the necessary info, with time stamps, is already recorded in a SQL database, so it wouldn’t be difficult to replay events.by djkurlander
2/16/2026 at 6:40:42 AM
Do you have any insight on SSH servers that only allow login with public key authentication? Do bots leave immediately when they see that they can't use passwords?by vaylian
2/16/2026 at 6:55:21 AM
If the bot sees no login / password sequence, there’s no way for it to brute force credentials. If the server only takes ssh keys, that will cause an immediate disconnect. Which is why this setting is best practice when setting up a server when practical: PasswordAuthentication no.by djkurlander
2/16/2026 at 10:08:32 AM
I wish this would be the default. I expose my homelab port 22 directly to the internet. I'm _pretty_ sure I always always always disable password auth but I do worry about it because most distros have an unsafe default.(A lot of this risk is mitigated by not having login passwords but I definitely have one node where I have a login password, it's an old laptop so I thought I might want to physically log in for local debugging).
I guess the ideal solution here is to run a prober service that attempts logins and alerts if it gets any responses that smell password auth is possible. But no way I have time to set that up.
by bjackman
2/16/2026 at 3:02:35 PM
You can do this in about 5 lines of bash with a cron job. Something like: ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -o BatchMode=yes user@host 2>&1 | grep -q "Permission denied" && echo "password auth enabled on host" | mail -s "SSH audit alert" you@email.com
The tricky part is that sshd_config can be overridden per-user with Match blocks, so ideally you'd probe with a few different usernames. But even a basic probe catches the 90% case of someone forgetting PasswordAuthentication no.
For the laptop with a real login password: you could set PasswordAuthentication no in sshd_config but keep the login password for local console access. Those are independent settings - sshd_config only affects remote SSH, not local login.
by jamiemallers
2/16/2026 at 6:41:35 PM
When you get a "Permission denied (publickey)." if you try to connect to a server which requires a public key for authentication, it causes your 5 lines to wrongly raise an alarm ... you need to adapt your grep.by jcynix
2/16/2026 at 12:33:03 PM
One way to solve this it to use a configuration management tool (Puppet / Chef / Salt / Ansible etc.). Alternatively, run NixOS. You apply the setting once and then it's applied to all your machines from that point onwards.by jbstack
2/16/2026 at 4:09:23 PM
I do run NixOS, but it's easy to make mistakes in a complex setup.by bjackman
2/16/2026 at 4:45:34 AM
Cool projectBut also wanted to let you know about
https://objective-see.org/products/knockknock.html
And knockd: https://wiki.archlinux.org/title/Port_knocking
Common name in case you wanted to differentiate yourself a bit
by godelski
2/16/2026 at 4:51:24 AM
I was aware of port knocking, but not the Mac malware scanner with the similar name. Good to know!by djkurlander
2/16/2026 at 9:08:05 AM
You probably also know of Netbird -- open-source zero-trust VPN.Personally, I shall some day find the patience to code and test a poor man's zero-trust -- app/site knocking + firewall whitelist.
by user2722
2/15/2026 at 5:14:23 PM
Very nice! I am looking forward to many people running this. Perhaps people could add their URL in a ./contrib directory or something to that effect? I might set this up when I get back from the feed store.by Bender
2/15/2026 at 5:22:41 PM
Nice idea. The original VPS is in Los Angeles, but I installed the app more recently on VPS's in London, Tokyo, and Amsterdam. I've been noticing some interesting regional differences, but it may just be smaller sample of knocks for those sites so far. I'll set up that contrib directory so that we can share our dashboards. I would be interested in looking at others' dashboards to suss out patterns.by djkurlander
2/15/2026 at 8:32:53 PM
Side question: which cheap VPS are you using in Los Angeles? Looking to get one in the Southern California area.by orojackson
2/15/2026 at 8:50:42 PM
My $6.75 per year vps was a Dedirock Black Friday sale that I found https://lowendtalk.com. https://cheapvpsbox.com/ reports several nice Los Angeles sales still going on from various providers. My London, Tokyo, and Amsterdam VPSs are holiday sales from RareCloud and Racknerd - all less than $19/year.by djkurlander
2/16/2026 at 2:50:37 AM
Before I saw this comment I was curious and used dig+ARIN to look up the IPs and saw they were at Cloudflare. Given how rapidly the data changes and that the updates are via Websockets, do you get benefits from them serving assets, or is that to obscure the origin so it doesn't get extra attention, skewing the results? Cool project!by bnabholz
2/16/2026 at 4:21:49 AM
Good observation. I am using a Cloudflare orange cloud proxy to hide the IP address. I’m also blocking direct access to my web server by IP addresses to make it that much more difficult to associate the IP address with my domain. Most people installing knock-knock probably won’t care, but I figured that this would be worthwhile for the “official” server. Instructions for setting this up are in the extras/ufw-cloudflare directory of the repo. Yes, there are other ways to track down the IP address, but they are a lot harder.By the way, I noticed that the bots were guessing usernames like “knock-knock” before blocking direct IP access to the web site. Looking at the other passwords guessed, I realized they were extracting words from the title of the index.html! So it’s all about masking the server’s identity - I’m not really getting other benefits out of Cloudflare.
by djkurlander
2/15/2026 at 6:09:45 PM
contrib directory added!by djkurlander
2/15/2026 at 8:37:04 PM
> who keeps trying to log into your computer?I'm curious, how do you think this helps you answer the question? Proxies are incredibly easy to come by these days, rotation makes it hard to identify what's behind it all.
by mmarian
2/15/2026 at 8:57:17 PM
That’s a valid point. We can easily see where the attack is coming from but not who or which botnet. Some of these can be inferred by the pattern of usernames and passwords attempted, and the ISPs. Someone suggested that I collect the client SSH signature as well, which would help. But you’re right, we don’t know who is behind the attacks.by djkurlander
2/15/2026 at 9:13:23 PM
I'm guessing the SSH signatures can rotate as well. I remember someone did an analysis of rotation patterns for HTTPS requests; that's when they saw some interesting clusters.by mmarian
2/15/2026 at 9:39:19 PM
I saw an ISP called Microsoft, USA… is that an official microsoft computer doing that or something else?by prox
2/15/2026 at 9:45:04 PM
Yes, Microsoft shows up a lot. Some of these bots are running on Azure.My favorite ISP to spot occasionally is SpaceX / Starlink. That can’t be the most economical ISP for bot traffic, but machines can be infected, even on Starlink.
by djkurlander
2/16/2026 at 4:38:53 AM
Starlink bot here, but you won't see me because I'm behind a VPNby TurdF3rguson
2/15/2026 at 9:39:53 PM
Awesome, I loved it thanks for sharing it.And I remember more than a decade ago I went down the rabbit hole hunting these bots and indeed, I found Netherlands was always the king of hill when it comes to bots, followed by US, Netherlands still there I see.
by tamimio
2/15/2026 at 9:51:54 PM
Some things never change.One of my favorite visualizations for this is to switch to the globe view and choose the “HEAT” style for a 3D heatmap superimposed on the globe. Green means few hits, and red signifies lots of hits. The Netherlands is so small that it’s tough to see though!
by djkurlander
2/16/2026 at 11:16:00 AM
Wow that's fucking beautiful, man. That's beautiful. Wow, I love that!What $6.75/year VPS do you have?
by keepamovin
2/16/2026 at 12:55:48 PM
Was gonna ask the same question. nearlyfreespeech perhaps? They're quite cheap. Haven't seen any other providers at a similar price point.by resonious
2/16/2026 at 12:57:22 PM
They answer it down in the thread I found. https://cheapvpsbox.com/by keepamovin
2/15/2026 at 7:43:39 PM
Well done, OP.by czbond