{"id":13625926,"url":"https://github.com/mikroskeem/tosh","last_synced_at":"2025-04-07T12:09:04.733Z","repository":{"id":77663813,"uuid":"369635493","full_name":"mikroskeem/tosh","owner":"mikroskeem","description":"Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...","archived":false,"fork":false,"pushed_at":"2021-06-06T10:23:00.000Z","size":37,"stargazers_count":418,"open_issues_count":1,"forks_count":7,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-31T11:02:16.268Z","etag":null,"topics":["ctf","ipv6","moving-target-defense","security-by-obscurity","ssh","tosh","totp"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mikroskeem.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-05-21T19:29:59.000Z","updated_at":"2025-01-17T03:23:20.000Z","dependencies_parsed_at":"2023-02-27T04:00:11.219Z","dependency_job_id":null,"html_url":"https://github.com/mikroskeem/tosh","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikroskeem%2Ftosh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikroskeem%2Ftosh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikroskeem%2Ftosh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikroskeem%2Ftosh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mikroskeem","download_url":"https://codeload.github.com/mikroskeem/tosh/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247648978,"owners_count":20972945,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","ipv6","moving-target-defense","security-by-obscurity","ssh","tosh","totp"],"created_at":"2024-08-01T21:02:05.763Z","updated_at":"2025-04-07T12:09:04.715Z","avatar_url":"https://github.com/mikroskeem.png","language":"Rust","funding_links":[],"categories":["Rust","ctf","Hardening"],"sub_categories":["Ghidra"],"readme":"# tosh\n\nImagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...\n\nInspired from [this tweet](https://twitter.com/kistel/status/1395375108315824130) [(Wayback machine)](https://web.archive.org/web/20210521215858/https://twitter.com/kistel/status/1395375108315824130)\n\nLooking for a way simpler, bash implementation? Check out [old](https://github.com/mikroskeem/tosh/tree/old) branch.\n\n## Notes\n\nThis was made because... I could make it, not if I should make it. Yes, you read it right - it's a toy.\nOnly use it if you know what you are doing. I am not up to handholding, preventing any footguns nor basic support requests.\n\nIts purpose is just to add a layer of obscurity, it's probably only effective against bots (allthough most of them disappear after moving on to IPv6)\nand script kiddies. If you're being targeted by e.g government agencies or people who definitely know what they do, then this probably won't help you.\n\nUsing this on top of unconfigured (in other words, running stock configuration) SSH server is always a bad idea, so please configure your SSH server\nto e.g do only public key authentication, disable login for unnecessary users (e.g allow only members of group `canssh` to login) etc.\n\nTo make things more fun, you may want to adjust your firewall rules to forward to [SSH tarpit](https://github.com/skeeto/endlessh) by default.\n\nBesides that, you NEED to ensure that your server and client times are in sync. You might want to look into [chrony](https://chrony.tuxfamily.org/).\n\nA few great alternatives to this:\n- [WireGuard](https://www.wireguard.com/) - easy to set up VPN software.\n- [knockd](https://zeroflux.org/projects/knock) - good old port knocking solution.\n- [sshguard](https://www.sshguard.net/) - bans brute forcers.\n- [fail2ban](https://www.fail2ban.org/wiki/index.php/Main_Page) - also bans brute forcers.\n\n## Usage\n\nAssign yourself an IPv6 subnet, replace last 6 hex characters with `x`.\n\n`fd15:4ba5:5a2b:1008:20c:29ff:fe1a:9587` -\u003e `fd15:4ba5:5a2b:1008:20c:29ff:fexx:xxxx`\n\nCreate a base32 TOTP secret, using e.g `gen-oath-safe mikroskeem totp`\n\n```sh\n$ export TOSH_IP_TEMPLATE=fd15:4ba5:5a2b:1008:20c:29ff:fexx:xxxx\n$ export TOSH_TOTP_SECRET=3OBVZP4AI74OIJO5YGV3UEXKXS6ISJ6H\n$ tosh generate\nfd15:4ba5:5a2b:1008:20c:29ff:fe59:3001\n```\n\n### Example setups\n\n- systemd timer \u0026 iptables setup - see [examples/iptables/](examples/iptables/)\n\n## Roadmap\n- [x] Describe example setup with `iptables` \u0026 systemd\n- [ ] `ssh` wrapper (`ProxyCommand` feature?)\n\n## FAQ\n\n### Why Rust?\n\nI am looking forward to building a cross-platform program easily, which works even on Windows.\n\n### Where's client?\n\nNot done yet. Reference implementation will work inside ssh ProxyCommand option.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmikroskeem%2Ftosh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmikroskeem%2Ftosh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmikroskeem%2Ftosh/lists"}