I kept seeing the same brute-force attempts on every VPS I run, virtually on every service that opened a port. fail2ban or similar tools definitely help but they only act after hackers/bots hit real services. I wanted to catch them a lot earlier.
So I built tarpit.pro: it opens fake ports (SSH, MySQL, Redis, Telnet, etc and you can configure any port you want) sending realistic banners (you can specify what your instance sends). Nobody with good intentions connects uninvited to a fake MySQL on port 3306 and that means anyone who does gets banned via firewall (linux/macOS/windows) immediately. It also acts as a centralized graphical firewall management (webUI) for all the servers you manage. You can blacklist, whitelist IPs and ports. But more importantly, you can create fleets of servers (groups that share security) and any action (automated or manual bans, whitelists, etc) on one of your servers propagates to all the servers on the fleet.
I have been running agents on 5 of my own servers for about 9 days now. Here are some real and true statistics:
- attacks caught: ~18k , unique IPs: ~8k, ~7.5k banned (ban last for 24h - AI decides if the hacker deserves a permanent ban)
- SSH gets hammered the most by far (so fail2ban saves the day), then Telnet (yes, telnet in 2026 - who is using telnet? I guess some still do)
- Top source countries: Russia, US, China, Netherlands (I guess too many hacked VMs), UK (???)
- My asian VMs gets most hits (11k), then US (10k) then european VMs (600!!!)
- Most tried passwords: 123456, admin, password, foobared (the Redis default) - it's so funny seeing hackers trying different passwords
- First attack showed up about 90 seconds after going live
Few things about the technology:
- it's a single Go binary, installs as a systemd service
- all user information (emails, names, IP addresses, servers) are encrypted and stored on a HashiCorp Vault. So even if the database is compromised the attacker gets UUIDs and ciphertext
- all connections between any service component is secured with mTLS
- brute force protection: 3 failures in 15 min means 1 hour lockout
- binary signature verification for the protection agent, modified binaries get rejected
Free tier is FREE forever and gets you 2 servers and a basic but useful cloud dashboard. There's a launch offer (code LAUNCH100) if you want to try Pro on up to 4 servers for a month, so you can try all the pro features and see if it makes sense.
To get started: register at tarpit.pro and pick a tier. Then add server licenses at the pricing tier you want (you can register for the free tier but upgrade to pro) paste the
install command, watch the dashboard light up. You can upgrade and downgrade any time you want.
Happy to answer questions about the architecture or the attack data and I'm open to suggestions (either here or via the platform's ticketing system)
chka•1h ago
So I built tarpit.pro: it opens fake ports (SSH, MySQL, Redis, Telnet, etc and you can configure any port you want) sending realistic banners (you can specify what your instance sends). Nobody with good intentions connects uninvited to a fake MySQL on port 3306 and that means anyone who does gets banned via firewall (linux/macOS/windows) immediately. It also acts as a centralized graphical firewall management (webUI) for all the servers you manage. You can blacklist, whitelist IPs and ports. But more importantly, you can create fleets of servers (groups that share security) and any action (automated or manual bans, whitelists, etc) on one of your servers propagates to all the servers on the fleet.
I have been running agents on 5 of my own servers for about 9 days now. Here are some real and true statistics:
- attacks caught: ~18k , unique IPs: ~8k, ~7.5k banned (ban last for 24h - AI decides if the hacker deserves a permanent ban)
- SSH gets hammered the most by far (so fail2ban saves the day), then Telnet (yes, telnet in 2026 - who is using telnet? I guess some still do)
- Top source countries: Russia, US, China, Netherlands (I guess too many hacked VMs), UK (???)
- My asian VMs gets most hits (11k), then US (10k) then european VMs (600!!!)
- Most tried passwords: 123456, admin, password, foobared (the Redis default) - it's so funny seeing hackers trying different passwords
- First attack showed up about 90 seconds after going live
Few things about the technology: - it's a single Go binary, installs as a systemd service
- all user information (emails, names, IP addresses, servers) are encrypted and stored on a HashiCorp Vault. So even if the database is compromised the attacker gets UUIDs and ciphertext
- all connections between any service component is secured with mTLS
- brute force protection: 3 failures in 15 min means 1 hour lockout
- binary signature verification for the protection agent, modified binaries get rejected
Free tier is FREE forever and gets you 2 servers and a basic but useful cloud dashboard. There's a launch offer (code LAUNCH100) if you want to try Pro on up to 4 servers for a month, so you can try all the pro features and see if it makes sense.
To get started: register at tarpit.pro and pick a tier. Then add server licenses at the pricing tier you want (you can register for the free tier but upgrade to pro) paste the install command, watch the dashboard light up. You can upgrade and downgrade any time you want.
Happy to answer questions about the architecture or the attack data and I'm open to suggestions (either here or via the platform's ticketing system)