Hacker News

Show HN: Knock-Knock.net – Visualizing the bots knocking on my server's door

62 points by djkurlander ago | 21 comments

djkurlander |next [-]

OP here.

site: https://knock-knock.net

Every server with port 22 open gets hammered by bots trying to brute-force SSH. I built a honeypot that accepts every connection, records the credentials they try, and displays it all on a live dashboard with a 3D globe.

Some fun things you'll notice:

- Bots try the same passwords everywhere — "admin", "123456", "password" are the classics. Yes, you'll see the Spaceballs password in the top 10.

- Certain countries and ISPs dominate the leaderboards

- Attacks come in waves — sometimes nothing for a minute, then a burst of 50 from one IP cycling through a wordlist

- There's a knock-knock joke panel because I couldn't resist

Originally inspired by my kids asking "who keeps trying to log into your computer?" when they saw me tailing SSH logs.

The stack is Python (FastAPI + paramiko for the honeypot), Redis pub/sub for real-time updates, SQLite for stats, and globe.gl for the visualization. WebSocket pushes every knock to your browser as it happens.

The whole thing runs on a $6.75/year VPS. The domain costs more than the server.

Source: https://github.com/djkurlander/knock-knock

tkp-415 |root |parent |next [-]

This is neat. What VPS service do you use? I am trying to replace my tendency to spin up small EC2 instances just to deploy a simple web app.

djkurlander |root |parent [-]

My $6.75 per year VPS was a Black Friday sale from Dedirock on https://lowendtalk.com. Some of the Black Friday sales are still being honored. The site https://cheapvpsbox.com/ has a nice search engine for cheap VPS sales.

mmarian |root |parent |next |previous [-]

> who keeps trying to log into your computer?

I'm curious, how do you think this helps you answer the question? Proxies are incredibly easy to come by these days, rotation makes it hard to identify what's behind it all.

djkurlander |root |parent [-]

That’s a valid point. We can easily see where the attack is coming from but not who or which botnet. Some of these can be inferred by the pattern of usernames and passwords attempted, and the ISPs. Someone suggested that I collect the client SSH signature as well, which would help. But you’re right, we don’t know who is behind the attacks.

prox |root |parent |next [-]

I saw an ISP called Microsoft, USA… is that an official microsoft computer doing that or something else?

djkurlander |root |parent [-]

Yes, Microsoft shows up a lot. Some of these bots are running on Azure.

My favorite ISP to spot occasionally is SpaceX / Starlink. That can’t be the most economical ISP for bot traffic, but machines can be infected, even on Starlink.

mmarian |root |parent |previous [-]

I'm guessing the SSH signatures can rotate as well. I remember someone did an analysis of rotation patterns for HTTPS requests; that's when they saw some interesting clusters.

Bender |root |parent |next |previous [-]

Very nice! I am looking forward to many people running this. Perhaps people could add their URL in a ./contrib directory or something to that effect? I might set this up when I get back from the feed store.

djkurlander |root |parent [-]

Nice idea. The original VPS is in Los Angeles, but I installed the app more recently on VPS's in London, Tokyo, and Amsterdam. I've been noticing some interesting regional differences, but it may just be smaller sample of knocks for those sites so far. I'll set up that contrib directory so that we can share our dashboards. I would be interested in looking at others' dashboards to suss out patterns.

orojackson |root |parent |next [-]

Side question: which cheap VPS are you using in Los Angeles? Looking to get one in the Southern California area.

djkurlander |root |parent [-]

My $6.75 per year vps was a Dedirock Black Friday sale that I found https://lowendtalk.com. https://cheapvpsbox.com/ reports several nice Los Angeles sales still going on from various providers. My London, Tokyo, and Amsterdam VPSs are holiday sales from RareCloud and Racknerd - all less than $19/year.

djkurlander |root |parent |previous [-]

contrib directory added!

tamimio |root |parent |next |previous [-]

Awesome, I loved it thanks for sharing it.

And I remember more than a decade ago I went down the rabbit hole hunting these bots and indeed, I found Netherlands was always the king of hill when it comes to bots, followed by US, Netherlands still there I see.

djkurlander |root |parent [-]

Some things never change.

One of my favorite visualizations for this is to switch to the globe view and choose the “HEAT” style for a 3D heatmap superimposed on the globe. Green means few hits, and red signifies lots of hits. The Netherlands is so small that it’s tough to see though!

czbond |root |parent |previous [-]

Well done, OP.

arjie |next |previous [-]

Very fun site. Cool idea indeed. I think it's a neat piece of art. I wish I could scroll sideways, though. The page got cut off for me.

djkurlander |root |parent [-]

If you are on the desktop, you should be able to scroll sideways either by choosing a menu icon at the top, or by clicking on a panel (which will rotate the panels to the left). On the phone you can visit a panel by choosing the icon from the rotating carousel at the bottom, or by swiping the panels to the left or right.

jwkerr |next |previous [-]

This is very interesting to me, would most of these bots be running on servers that have already been compromised? If that's the case, is the Netherlands/Digital Ocean the most common combo as it's what most normal people use, or is there some other reason bots favour it?

djkurlander |root |parent [-]

Many/most of these are servers that have been compromised. DigitalOcean is certainly one of the biggest ISPs/providers; however, I’m betting that if you looked at ratio of knocks per ASN IPs registered, DigitalOcean would still be at the top. I’ll look into that.

Providers can shut down abusive IPs. I run a script every night to report attacks to abuseIPDB.com (included in the extras folder on the knock-knock GitHub repository). Some providers just don’t care.

6031769 |root |parent [-]

> Some providers just don’t care.

And they should be shunned by everyone. We should all be naming and shaming such providers and those of us with any conscience at all will avoid using them. This is the only way to stop the tsunami of bad actors.

|previous [-]