site: https://knock-knock.net

Every server with port 22 open gets hammered by bots trying to brute-force SSH. I built a honeypot that accepts every connection, records the credentials they try, and displays it all on a live dashboard with a 3D globe.

Some fun things you'll notice:

- Bots try the same passwords everywhere — "admin", "123456", "password" are the classics. Yes, you'll see the Spaceballs password in the top 10.

- Certain countries and ISPs dominate the leaderboards

- Attacks come in waves — sometimes nothing for a minute, then a burst of 50 from one IP cycling through a wordlist

- There's a knock-knock joke panel because I couldn't resist

Originally inspired by my kids asking "who keeps trying to log into your computer?" when they saw me tailing SSH logs.

The stack is Python (FastAPI + paramiko for the honeypot), Redis pub/sub for real-time updates, SQLite for stats, and globe.gl for the visualization. WebSocket pushes every knock to your browser as it happens.

The whole thing runs on a $6.75/year VPS. The domain costs more than the server.

Source: https://github.com/djkurlander/knock-knock

Interesting that you're seeing regional differences across your LA/London/Tokyo/Amsterdam instances. I'd bet the Tokyo server gets a noticeably different distribution of source IPs and credential patterns. Would be cool to see a comparison dashboard across all four.

Have you considered logging the client banners too? The SSH client version string bots send is often a fingerprint of the botnet toolkit they're using, which could add another layer to the visualization.