Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...

Overview

tosh

Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...

Inspired from this tweet (Wayback machine)

Looking for a way simpler, bash implementation? Check out old branch.

Notes

This was made because... I could make it, not if I should make it. Yes, you read it right - it's a toy. Only use it if you know what you are doing. I am not up to handholding, preventing any footguns nor basic support requests.

Its purpose is just to add a layer of obscurity, it's probably only effective against bots (allthough most of them disappear after moving on to IPv6) and script kiddies. If you're being targeted by e.g government agencies or people who definitely know what they do, then this probably won't help you.

Using this on top of unconfigured (in other words, running stock configuration) SSH server is always a bad idea, so please configure your SSH server to e.g do only public key authentication, disable login for unnecessary users (e.g allow only members of group canssh to login) etc.

To make things more fun, you may want to adjust your firewall rules to forward to SSH tarpit by default.

Besides that, you NEED to ensure that your server and client times are in sync. You might want to look into chrony.

Few great alternatives to this:

Usage

Assign yourself an IPv6 subnet, replace last 6 hex characters with x.

fd15:4ba5:5a2b:1008:20c:29ff:fe1a:9587 -> fd15:4ba5:5a2b:1008:20c:29ff:fexx:xxxx

Create a base32 TOTP secret, using e.g gen-oath-safe mikroskeem totp

$ export TOSH_IP_TEMPLATE=fd15:4ba5:5a2b:1008:20c:29ff:fexx:xxxx
$ export TOSH_TOTP_SECRET=3OBVZP4AI74OIJO5YGV3UEXKXS6ISJ6H
$ tosh generate
fd15:4ba5:5a2b:1008:20c:29ff:fe59:3001

Example setups

Roadmap

  • Describe example setup with iptables & systemd
  • ssh wrapper (ProxyCommand feature?)

FAQ

Why Rust?

I am looking forward to building a cross-platform program easily, which works even on Windows.

Where's client?

Not done yet. Reference implementation will work inside ssh ProxyCommand option.

You might also like...
A simple web server(and library) to display server stats over HTTP and Websockets/SSE or stream it to other systems.

x-server-stats A simple web server(and library) to display server stats over HTTP and Websockets/SSE or stream it to other systems. x-server(in x-serv

๐Ÿค– brwrs is a new protocol running over TCP/IP that is intended to be a suitable candidate for terminal-only servers

brwrs is a new protocol running over TCP/IP that is intended to be a suitable candidate for terminal-only servers (plain text data). That is, although it can be accessed from a browser, brwrs will not correctly interpret the browser's GET request.

Listen to bluetooth headphone keys (Linux only)

What Take action when you use your bluetooth headphone to indicate pause, play, next or previous. For Linux only. Why You can bind global keys to XF86

Many modbus devices support only one or very few clients

Modbus TCP proxy Many modbus devices support only one or very few clients. This proxy acts as a bridge between the client and the modbus device. It ca

axum-server is a hyper server implementation designed to be used with axum framework.

axum-server axum-server is a hyper server implementation designed to be used with axum framework. Features Conveniently bind to any number of addresse

Dav-server-rs - Rust WebDAV server library. A fork of the webdav-handler crate.

dav-server-rs A fork of the webdav-handler-rs project. Generic async HTTP/Webdav handler Webdav (RFC4918) is defined as HTTP (GET/HEAD/PUT/DELETE) plu

DNS Server written in Rust for fun, see https://dev.to/xfbs/writing-a-dns-server-in-rust-1gpn

DNS Fun Ever wondered how you can write a DNS server in Rust? No? Well, too bad, I'm telling you anyways. But don't worry, this is going to be a fun o

๐Ÿ”Œ A curseforge proxy server, keeping your API key safe and sound.

๐Ÿ”Œ CFPROXY - The curseforge proxy server Curseforge has locked down their API and now restricts access without authentification. This spells trouble f

RDE1 (Rusty Data Exfiltrator) is client and server tool allowing auditor to extract files from DNS and HTTPS protocols written in Rust. ๐Ÿฆ€
RDE1 (Rusty Data Exfiltrator) is client and server tool allowing auditor to extract files from DNS and HTTPS protocols written in Rust. ๐Ÿฆ€

Information: RDE1 is an old personal project (end 2022) that I didn't continue development on. It's part of a list of projects that helped me to learn

Comments
  • Add example: SSH config to a timerd config file

    Add example: SSH config to a timerd config file

    As noted in https://superuser.com/a/1142813/41259 SSH not only has an include file feature but also "Include directive may appear inside a Match or Host block to perform conditional inclusion." so the easiest way to integrate with SSH is to write the "Hostname ...." section into a file periodically. Currently the examples folder is about the server, perhaps move these examples into a server folder and add a client directory with a client side timerd example.

    enhancement 
    opened by chx 1
Owner
Mark Vainomaa
Backend software engineer
Mark Vainomaa
QUIC proxy that allows to use QUIC to connect to an SSH server without needing to patch the client or the server.

quicssh-rs ?? quicssh-rs is a QUIC proxy that allows to use QUIC to connect to an SSH server without needing to patch the client or the server. quicss

Jun Ouyang 18 May 5, 2023
pam-send-slack-message is a program that publishes messages on slack when a linux server is accessed through ssh.

pam-send-slack-message pam-send-slack-message is a program that publishes messages on slack when the linux server is accessed through ssh. Installatio

Iuri Diniz 2 Aug 17, 2022
A tool to aid in self-hosting. Expose local services on your computer, via a public IPv4 address.

innisfree A tool to aid in self-hosting. Expose local services on your computer, via a public IPv4 address. Why? Most of the data I maintain is local,

Conor Schaefer 7 Mar 19, 2022
Automatically updates your Cloudflare DNS records for specific zones. Especially useful if you have dynamic IP address

Cloudflare DNS updater What does it do? Cloudflare DNS updater updates specified dns records for specified zones effortlessly and automatically. It wa

Niko Huuskonen 8 Aug 30, 2022
A skyline mod that enables manual choosing of desired input latency in Smash Ultimate, compatible with every online mode.

Latency Slider (Definitive Edition) This is a fork of - and an improvement upon - the original "Arena Latency Slider". Unfortunately, upon SSBU updati

null 8 Mar 5, 2024
Expose local age identities to remote machines via SSH

age-plugin-remote TBD Design Notes Proxy identities act as bearer tokens. A proxy identity is only "active" if the authority provides it when starting

null 6 Aug 19, 2022
Simple SSH, TELNET connection manager written in rust

gcoma gcoma or Geri's Connection Manager is a small project, that I started to learn rust. The goal of this project is to create a MTPuTTY like cli ap

Bak Gergely Jรกnos 2 Sep 30, 2022
A TCP proxy using HTTP - Reach SSH behind a Nginx reverse proxy

?? TCP over HTTP ?? The Questions ?? What does it do? You can proxy TCP traffic over HTTP. A basic setup would be: [Your TCP target] <--TCP-- [Exit No

Julian 185 Dec 15, 2022
Jex Compiler Server - Server that runs Jex code

Server that compiles and runs Jex code.

furetur 3 Nov 18, 2021
Acts as an IRC server and a nostr client. Connect with your IRC client using your nostr private key as the password.

nostr-irc Acts as an IRC server and a nostr client. Connect with your IRC client using your nostr private key as the password. Experimental code, use

null 11 Dec 26, 2022