https://github.com/mikroskeem/tosh Skip to content Sign up * Why GitHub? Features - + Mobile - + Actions - + Codespaces - + Packages - + Security - + Code review - + Project management - + Integrations - + GitHub Sponsors - + Customer stories- * Team * Enterprise * Explore + Explore GitHub - Learn and contribute + Topics - + Collections - + Trending - + Learning Lab - + Open source guides - Connect with others + The ReadME Project - + Events - + Community forum - + GitHub Education - + GitHub Stars program - * Marketplace * Pricing Plans - + Compare plans - + Contact Sales - + Education - [ ] [search-key] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this user All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} mikroskeem / tosh * Notifications * Star 102 * Fork 1 Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code... 102 stars 1 fork Star Notifications * Code * Issues 1 * Pull requests 0 * Actions * Projects 0 * Wiki * Security * Insights More * Code * Issues * Pull requests * Actions * Projects * Wiki * Security * Insights master Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags 3 branches 0 tags Code Clone HTTPS GitHub CLI [https://github.com/m] Use Git or checkout with SVN using the web URL. [gh repo clone mikros] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit @mikroskeem mikroskeem Add few better alternatives to this toy solution ... ec56e63 May 22, 2021 Add few better alternatives to this toy solution ec56e63 Git stats * 10 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time examples/iptables Use clap, move generation logic behind a subcommand May 22, 2021 src Use clap, move generation logic behind a subcommand May 22, 2021 .gitignore Initial commit May 21, 2021 Cargo.lock Use clap, move generation logic behind a subcommand May 22, 2021 Cargo.toml Use clap, move generation logic behind a subcommand May 22, 2021 README.md Add few better alternatives to this toy solution May 22, 2021 shell.nix Initial commit May 21, 2021 View code tosh Notes Usage Example setups Roadmap FAQ Why Rust? Where's client? README.md tosh Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code... Inspired from this tweet (Wayback machine) Looking for a way simpler, bash implementation? Check out old branch. Notes This was made because... I could make it, not if I should make it. Yes, you read it right - it's a toy. Only use it if you know what you are doing. I am not up to handholding, preventing any footguns nor basic support requests. Its purpose is just to add a layer of obscurity, it's probably only effective against bots (allthough most of them disappear after moving on to IPv6) and script kiddies. If you're being targeted by e.g government agencies or people who definitely know what they do, then this probably won't help you. Using this on top of unconfigured (in other words, running stock configuration) SSH server is always a bad idea, so please configure your SSH server to e.g do only public key authentication, disable login for unnecessary users (e.g allow only members of group canssh to login) etc. To make things more fun, you may want to adjust your firewall rules to forward to SSH tarpit by default. Besides that, you NEED to ensure that your server and client times are in sync. You might want to look into chrony. Few great alternatives to this: * WireGuard - easy to set up VPN software. * knockd - good old port knocking solution. * sshguard - bans brute forcers. * fail2ban - also bans brute forcers. Usage Assign yourself an IPv6 subnet, replace last 6 hex characters with x. fd15:4ba5:5a2b:1008:20c:29ff:fe1a:9587 -> fd15:4ba5:5a2b:1008:20c:29ff:fexx:xxxx Create a base32 TOTP secret, using e.g gen-oath-safe mikroskeem totp $ export TOSH_IP_TEMPLATE=fd15:4ba5:5a2b:1008:20c:29ff:fexx:xxxx $ export TOSH_TOTP_SECRET=3OBVZP4AI74OIJO5YGV3UEXKXS6ISJ6H $ tosh generate fd15:4ba5:5a2b:1008:20c:29ff:fe59:3001 Example setups * systemd timer & iptables setup - see examples/iptables/ Roadmap * [*] Describe example setup with iptables & systemd * [ ] ssh wrapper (ProxyCommand feature?) FAQ Why Rust? I am looking forward to building a cross-platform program easily, which works even on Windows. Where's client? Not done yet. Reference implementation will work inside ssh ProxyCommand option. About Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code... Resources Readme Releases No releases published Packages 0 No packages published Languages * Rust 94.7% * Nix 5.3% * (c) 2021 GitHub, Inc. * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.