This is fascinating! Did the attempts start as soon as you started up the server, or did it take a little while to get going?

OP here.

site: https://knock-knock.net

Every server with port 22 open gets hammered by bots trying to brute-force SSH. I built a honeypot that accepts every connection, records the credentials they try, and displays it all on a live dashboard with a 3D globe.

Some fun things you'll notice:

- Bots try the same passwords everywhere — "admin", "123456", "password" are the classics. Yes, you'll see the Spaceballs password in the top 10.

- Certain countries and ISPs dominate the leaderboards

- Attacks come in waves — sometimes nothing for a minute, then a burst of 50 from one IP cycling through a wordlist

- There's a knock-knock joke panel because I couldn't resist

Originally inspired by my kids asking "who keeps trying to log into your computer?" when they saw me tailing SSH logs.

The stack is Python (FastAPI + paramiko for the honeypot), Redis pub/sub for real-time updates, SQLite for stats, and globe.gl for the visualization. WebSocket pushes every knock to your browser as it happens.

The whole thing runs on a $6.75/year VPS. The domain costs more than the server.

Source: https://github.com/djkurlander/knock-knock

This is very interesting to me, would most of these bots be running on servers that have already been compromised? If that's the case, is the Netherlands/Digital Ocean the most common combo as it's what most normal people use, or is there some other reason bots favour it?

Very fun site. Cool idea indeed. I think it's a neat piece of art. I wish I could scroll sideways, though. The page got cut off for me.