 |
| edl.mrlogg.no/ |
A simple honeypot runs on a public IP that is not listed in DNS and not associated with any domain/FQDN.
Traffic to ports 22 (SSH) and 3389 (RDP) is logged, deduplicated, and published as external dynamic lists once per day.
If you think like me—that sources probing SSH/RDP on such an unadvertised IP are “bad” by default—you may want to block them for all inbound traffic.
I see no reason they should reach vpn.company.com, portal.company.com, mail.company.com, api.company.com, or *.company.com.
Links
-
edl.mrlogg.no/port22.txt
edl.mrlogg.no/port1433.txt
edl.mrlogg.no/port3389.txt
Format
-
One IPv4 per line, no CIDR, no comments
Lists are overwritten on each daily run
Disclaimer
-
Use at your own risk. False positives are possible (e.g., research scanners)
Treat this as a signal, not a verdict
Goal
-
Reduce brute-force attempts and malicious port scanning
Reduce alert noise and log volume
Updates
-
More lists may be added; check edl.mrlogg.no for new .txt files
Feedback and requests are welcome. Contact me on LinkedIn