 |
| edl.mrlogg.no/ |
A simple honeypot runs on a public IP that is not listed in DNS and not associated with any domain/FQDN.
Traffic to ports 22 (SSH) and 3389 (RDP) is logged, deduplicated, and published as external dynamic lists once per day.
If you think like me—that sources probing SSH/RDP on such an unadvertised IP are “bad” by default—you may want to block them for all inbound traffic.
I see no reason they should reach vpn.company.com, portal.company.com, mail.company.com, api.company.com, or *.company.com.
Links
-
edl.mrlogg.no/port22.txt
edl.mrlogg.no/port1433.txt
edl.mrlogg.no/port3389.txt
more to come..
Format
-
One IPv4 per line, no CIDR, no comments
Lists are overwritten on each daily run
Disclaimer
-
Use at your own risk. False positives are possible (e.g., research scanners)
Treat this as a signal, not a verdict
Goal
-
Reduce brute-force attempts and malicious port scanning
Reduce alert noise and log volume
Updates
-
More lists may be added; check edl.mrlogg.no for new .txt files
Port info
| Port | Service | Typical use | Why targeted |
|---|---|---|---|
| 22 | SSH | Remote login and file transfer | Common target for brute-force on credentials |
| 23 | Telnet | Remote console access (legacy) | Sends credentials in cleartext; easily abused |
| 25 | SMTP | Mail transfer between servers | Scanned for open relays and spam abuse |
| 1433 | Microsoft SQL | Database connections | Searched for exposed databases and weak creds |
| 3389 | RDP | Windows remote desktop | High-value target for brute-force and exploits |
| 5555 | IoT services | Device debugging and management | Often exposed on insecure IoT devices |
| 5900 | VNC | Remote desktop control | Brute-force and discovery of open controls |
| 8080 | HTTP / proxy | Web apps and admin interfaces | Scanned for misconfigurations and panels |
| 9100 | Printing | Network printer raw printing | Abused for spam-print, DoS, or printer exploits |
Feedback and requests are welcome. Contact me on LinkedIn