mikroskeem/tosh

Stars
413
Rank 101,391 (Top 3 %)
Language
Rust
License
MIT License
Created almost 3 years ago
Updated almost 3 years ago

mikroskeem/tosh

mikroskeem

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...

tosh

Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...

Inspired from this tweet (Wayback machine)

Looking for a way simpler, bash implementation? Check out old branch.

Notes

This was made because... I could make it, not if I should make it. Yes, you read it right - it's a toy. Only use it if you know what you are doing. I am not up to handholding, preventing any footguns nor basic support requests.

Its purpose is just to add a layer of obscurity, it's probably only effective against bots (allthough most of them disappear after moving on to IPv6) and script kiddies. If you're being targeted by e.g government agencies or people who definitely know what they do, then this probably won't help you.

Using this on top of unconfigured (in other words, running stock configuration) SSH server is always a bad idea, so please configure your SSH server to e.g do only public key authentication, disable login for unnecessary users (e.g allow only members of group canssh to login) etc.

To make things more fun, you may want to adjust your firewall rules to forward to SSH tarpit by default.

Besides that, you NEED to ensure that your server and client times are in sync. You might want to look into chrony.

A few great alternatives to this:

WireGuard - easy to set up VPN software.
knockd - good old port knocking solution.
sshguard - bans brute forcers.
fail2ban - also bans brute forcers.

Usage

Assign yourself an IPv6 subnet, replace last 6 hex characters with x.

fd15:4ba5:5a2b:1008:20c:29ff:fe1a:9587 -> fd15:4ba5:5a2b:1008:20c:29ff:fexx:xxxx

Create a base32 TOTP secret, using e.g gen-oath-safe mikroskeem totp

$ export TOSH_IP_TEMPLATE=fd15:4ba5:5a2b:1008:20c:29ff:fexx:xxxx
$ export TOSH_TOTP_SECRET=3OBVZP4AI74OIJO5YGV3UEXKXS6ISJ6H
$ tosh generate
fd15:4ba5:5a2b:1008:20c:29ff:fe59:3001

Example setups

systemd timer & iptables setup - see examples/iptables/

Roadmap

Describe example setup with iptables & systemd
ssh wrapper (ProxyCommand feature?)

FAQ

Why Rust?

I am looking forward to building a cross-platform program easily, which works even on Windows.

Where's client?

Not done yet. Reference implementation will work inside ssh ProxyCommand option.

radicalaces

Radical Aces Classic ported to desktop

depot

Lightweight Maven repository software

libexecinfo

libexecinfo for musl libc

PicoMaven

Lightweight Maven client to download libraries

Shuriken

Shuriken, the Java utilities collection

zorg

Back up ZFS snapshots to Borg

BenjiAuth

An authentication plugin for BungeeCord

musl_root

Yet another Musl-based lightweight container or distribution bootstrapper

nixos-snaphook

Take system snapshot before rebuilding & switching NixOS installation to a new configuration

nginx-config

nginx configs commonly used by machines I set up

freighter

Freighter is a basic shell script for setting up and deploying Alpine Linux with ZFS and Docker

MiniWynn

Mini WynnCraft tryhard weapon system clone made for fun

apple-set-os

Small UEFI program to spoof OS on Macs

BukkitClj

Bukkit Clojure scripting platform

Jutuskeem

Extremely simple chat plugin

votifier2-java

Votifier protocol v2 library for Java

dot

Casino

Casino plugin for Spigot. Some features stripped out from original.

BukkitGroovy

Execute Groovyscript from command

OfflineInvsee

A NBT experiment

SleekHomes

Simple homes plugin

near-cli-flake

NEAR CLI Nix Flake

geosvc

MaxMind GeoLite2 Country database microservice

home

My Nix configuration for home and systems

nightsnack

Eat snacks at night and don't waste your time on downloading music from YouTube

gohipku

Encode any IP address as a haiku - Go port of gabemart/hipku

kd-autologin

http://koding.com/ login bot, keeps up VM

nix-parallels

NixOS overlay for Parallels Desktop tools

antiabuse

asynclighting

[WIP] Port of Sponge's Async Lighting V2 patch for Paper (on top of Orion)

mctrack

vault-autounseal

Simple HashiCorp Vault unsealing solution

overhook

hackermatternews

https://news.ycombinator.com webhook bot for Mattermost written in Go

minecraft-containers

Docker images for Minecraft for use in Pterodactyl panel

misc

Misc utilities and stuff

dualwan

dual wan bootstrap script

dot2

clr-bundles

BungeeClasspathInjector

A plugin what injects libraries into BungeeCord's classpath

Neekerbot

A telegram bot used in one groupchat

concourse-nix

Nix derivation to build & run Concourse (worker)

pks-openpgp-card

https://gitlab.com/sequoia-pgp/pks-openpgp-card.git

elrond-keygen

Elrond keypair generator

circle

Circle compiler on Nix

shush

Filter out chat messages from plugins in some worlds

quackit

Quake/Valve .cfg file parser