27 comments

[ 2.5 ms ] story [ 53.8 ms ] thread
OP here.

site: https://knock-knock.net

Every server with port 22 open gets hammered by bots trying to brute-force SSH. I built a honeypot that accepts every connection, records the credentials they try, and displays it all on a live dashboard with a 3D globe.

Some fun things you'll notice:

- Bots try the same passwords everywhere — "admin", "123456", "password" are the classics. Yes, you'll see the Spaceballs password in the top 10.

- Certain countries and ISPs dominate the leaderboards

- Attacks come in waves — sometimes nothing for a minute, then a burst of 50 from one IP cycling through a wordlist

- There's a knock-knock joke panel because I couldn't resist

Originally inspired by my kids asking "who keeps trying to log into your computer?" when they saw me tailing SSH logs.

The stack is Python (FastAPI + paramiko for the honeypot), Redis pub/sub for real-time updates, SQLite for stats, and globe.gl for the visualization. WebSocket pushes every knock to your browser as it happens.

The whole thing runs on a $6.75/year VPS. The domain costs more than the server.

Source: https://github.com/djkurlander/knock-knock

Do you have any insight on SSH servers that only allow login with public key authentication? Do bots leave immediately when they see that they can't use passwords?
Wow that's fucking beautiful, man. That's beautiful. Wow, I love that!

What $6.75/year VPS do you have?

Beautiful. Have you considered adding a "replay certain timeline" feature so that users get the feel of the throughput and emergence much like Gource [1] did for git?

[1] https://gource.io/

In the 2000s I had a service with a couple of million registered users and plaintext passwords. One day a couple of us ran a SQL script to group and order all the passwords. The top ones are what you would expect, 12345678, Password, etc. One of the top three was "trustno1", though. The X-Files was probably still running on TV at the time.
(comment deleted)
This is very interesting to me, would most of these bots be running on servers that have already been compromised? If that's the case, is the Netherlands/Digital Ocean the most common combo as it's what most normal people use, or is there some other reason bots favour it?
Very fun site. Cool idea indeed. I think it's a neat piece of art. I wish I could scroll sideways, though. The page got cut off for me.
This is fascinating! Did the attempts start as soon as you started up the server, or did it take a little while to get going?
This is great. I run a server for my blog and can confirm idiotic bots continually hammer port 22. Sometimes I check my SSH logs just to see what is going on but I’ve never detected anything cleverer than trying common username/pw combinations.

It seems a little pointless, surely every server actually accepting SSH passwords has been 0wned year ago.

This is great.

Do you publish a list of the 'knocking' IP addresses anywhere? (abuseipdb.com was mentioned, maybe I need to just pay for their service for their 100k blocklist)

(I've mentioned this before on related HN threads) I've got a setup whereby any incoming connections to ports behind which I don't have a service running get logged, and periodically the log is filtered and the IP addresses extracted and added to a block list.

My theory is that, if there's traffic coming into a port behind which there's no service (and therefore there's absolutely no good reason for this traffic to exist), then it must be malicious. If it's malicious, then I have no reason to trust any data coming from that IP address.

This is based on OPNSense firewall rules and logs and is documented haphazardly here: https://github.com/UninvitedActivity/UninvitedActivity

Most IP addresses age out of the logs after 12 months. I also have lists of common internet scanners that I've got from my own curation of the logs plus other similar projects of others. I'm just protecting my little homelab, so I don't care whether I'm blocking an infected computers, computers running proxies, or blocking large swathes of the internet via ASN blocks. What I have setup is a pickaxe, where a lot of people really need a scalpel. Don't apply blindly!

(But I do think that if there was more aggressive blocking of the malicious traffic on the internet, then there would be more motivation for providers to at least attempt to minimise facilitating it - I admit that there is a fine line, and opinions on what is and is not malicious are subjective)

Seems like DO sure has a bot problem. I wonder what percentage of their business is less-scrupulous actors.
You're assuming the owner rented the VPS to run the but but it's more likely intended for something else and is infected with malware / some intern being cute. After all there are cheaper plans than DO.
>user: claude password: claude2026!

>user: claude password: claude123

I wonder if these have come from leaks or if someone has a script that generates the top ~xx most likely passwords based off the username.

Very interesting that DigitalOcean is by far the largest source.

Other (more responsible) VPS providers, e.g. Linode, actively block machines from which they detect a lot of abuse traffic. Wonder why DO doesn't do the same.

Hetzner would have blocked some of those pretty quickly. Especially the top 2-3 IPs that seem to have thousands of attempts.
This is great, now I can greatly refine my dictionary for trying to brute force knock-knock.net.
I wanted to ssh hello-hacker-news@knock-knock.net, but sadly it doesn't work because the site is hosted behind Cloudflare. You'd have to work out the true server IP address which is not easy to do.
Now I want to see one where you let any login work but dump them at a fake shell that logs the commands sent. I’m curious what they do. Could even crowd source a mapping of command string matches to example output.
Great visualization!

I currently accept and then close/drop the connection "unclean" (no FIN or RST packet). I do this in hopes that the offender will waste some resources (time) thinking it is still connected while I spend minimal resources.

My reasoning is that if enough servers implement such measures it will become very costly for the offenders to scan.

Perhaps I can also add some logging to build a IP blacklist as described below.

If you are using fail2ban, is the amount of hits been reduced? Or you can see them anyway in the logs?
Personally, I just move SSH to a random high port on each of my public servers. Works like magic, no more log noise.
Cool site, I think the fact that bots WILL try to get access to your server as soon as it's publicly available should be mentioned more in basic tutorials etc... I remember panicing when I had set up my first webserver as a teenager and was checking the nginx logs out of curiosity, I thought this was a real threat to the security of the server and almost shut it down lol.
This is cool but doesn't Grafana + Prometheus have a lot of this included already?
It has been 24 hours since this post went up, so here are some fun stats.

During this time, there were 13,024 knocks on the server from 368 unique IPs. That's ~35 knocks per bot.

During this time, thanks to Hacker News, there were 23,556 visits to knock-knock.net by 15,946 humans. That's ~1.5 visits per human.

So in the last 24 hours, we actually had nearly twice the number of human visits than bot visits, and 368 bots put on a show for 16,000 humans!