This is basically a policy question, not a "will it work" or "how to do it" question.
I have a bunch of established Web servers. I also have a bunch of hacker traps and honeypots that feed data about hackers, crackers, spammers, and other Internet miscreants to blocklists that I make available to the public, for free. Finally, I have a Linux development server on a .lan domain in my office.
I woke up this morning with the idea of recruiting my dev server into the stable of servers feeding information to the blocklists. Yes, I have boring dreams.
What I would do is create office.domain.tld on an existing domain, with a cname entry to a DDNS account to point it to my dynamic IP in the office. My office router would forward requests on all the vulnerable ports to the dev server, which in turn would feed the IP's of the unauthorized requests, failed logins, and spam to the blocklist database.
The actual certificate would be on my office dev server, and would be necessary to negotiate SSL for incoming SSH and mail requests. I would prefer a legit cert to a self-signed one to hide the fact that the hostname exists solely as a hacker and spammer trap.
I don't think LE will care but not sure where a certain will stick on your plan
SSH : they don't use certificate but pinning first host key it looked
smtp not sure your office isp allows port 25? they tend to be blocked because it's spam magnet
No apparent violation given your summary. See the current Subscriber Agreement for the policy terms. The section related to this question is not that long. Is there something specific you question?
I forgot that SSH uses its own transport protocol. I guess you're never too old to learn (or re-learn). Some of the honeypots are Web-based, however, so I'd need it for that.
MY ISP blocks nothing on my account. It's a tiny little local company in a rural area where they know me and what I do, and they have no issues with any of it. But even if they did, I would just run the mail-related traps on the public server.
I did read the agreement and nothing jumped out at me. But some would consider it shady to obtain a cert specifically to fool users into thinking a resource is legit when it's actually a trap. And in a way, it is. But when you're targeting shady actors, you have to act a bit shady yourself.
Ah. Well, these are DV certs so the only thing they certify is that you reached the domain name you requested. And, that the comms is encrypted. I think you are fine.
Perhaps you'll feel better by the LE policy about phishing / malware sites. You aren't in this category but it speaks to the general issue of your concern.
Some people have ethical problems with some of my tactics, especially the web-based traps. They consider them deceptive.
For example, one of the things I do is install scripts to trap people and bots who try to access protected CMS login pages or exploit recently-identified vulnerabilities on both real sites and dedicated honeypot sites where those pages and vulnerabilities don't exist. The "visitor" is sent to a 404 page (which I think is perfectly fine since the page actually does not exist); but their IP is harvested and reported, along with the protected resource they tried to access.
I've considered the ethics and have decided that humans with good intentions don't attempt to access protected resources on random sites that they don't own. Those who do almost certainly are bots or miscreants looking for vulnerabilities so they can compromise a server. I have no ethical problem being deceptive in order to trap them.
I understand what you are doing and it doesn't bother me personally. It should be clear now that ISRG / Let's Encrypt is not the global activity enforcer on the internet (nor is any CA)
Now, whether your use of IP addresses and related is governed by privacy laws or similar is a different question for a different forum (see GDPR or CCPA). Although, some volunteers here may enjoy engaging in that discussion.
Thanks again for all the replies. I created office.domain.tld and installed it on my dev server, added the entries in DNS for the parent domain, got the cert, DMZ'd the dev server, and have the traps in place and reporting.
I have to admit: I do get the giggles out of this sort of thing.
And I thought I was alone in this world!
I collect "BAD IPs" - LOL
The really BAD list is now over 4.5M [restarted the collection in 2016].
The most IPs I've ever had in any one single list was... 670M but that was more of the I don't want to get any emails from you type list.
Anywho, I'm glad to hear of someone else that is traveling along this same path
Keep doing what you're doing.
LE only cares that your FQDN is valid and that you obtained the cert legitimately and that you're not on any gov block list or such.
Thank you. It's always good to come across a kindred spirit. I've been messing around on the Internet since before most people knew it existed (mid 1970's), and I'm appalled at the amount of malicious activity nowadays.
My lists are self-rehabilitating, so my collection rarely exceeds 20,000 or so at any given time. If an IP address behaves itself for a time period (generally 48 to 96 hours, depending on the list), it gets removed.
Basically, I stress recency and ephemerality. I don't want to blocklist an IP forever because some innocent admin's server got hacked. Once the malicious activity ceases, the IP gets rehabilitated.
