Torjus Håkestad
24c166b86b
Persist byte-level I/O events from SSH sessions to SQLite and add a web
UI to replay them with original timing. Events are buffered in memory
and flushed every 2s to avoid blocking SSH I/O on database writes.
- Add session_events table (migration 002)
- Add SessionEvent type and storage methods (SQLite + MemoryStore)
- Change RecordingChannel to support multiple callbacks
- Add EventRecorder for buffered event persistence
- Add session detail page with xterm.js terminal replay
- Add /api/sessions/{id}/events JSON endpoint
- Linkify session IDs in dashboard and active sessions
- Vendor xterm.js v5.3.0
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Oubliette
An SSH honeypot that logs login attempts, presents fake shells to "successful" logins, and tries to detect when a real human is poking around.
Named after the medieval dungeon - a place you throw people into and forget about them.
Status
Early development. See PLAN.md for the roadmap.
Usage
Build
# With Nix
nix build
# With Go
nix develop -c go build ./cmd/oubliette
Configure
Copy and edit the example config:
cp oubliette.toml.example oubliette.toml
Key settings:
ssh.listen_addr— listen address (default:2222)ssh.host_key_path— Ed25519 host key, auto-generated if missingauth.accept_after— accept login after N failures per IP (default10)auth.credential_ttl— how long to remember accepted credentials (default24h)auth.static_credentials— always-accepted username/password pairsstorage.db_path— SQLite database path (defaultoubliette.db)storage.retention_days— auto-prune records older than N days (default90)storage.retention_interval— how often to run retention (default1h)shell.hostname— hostname shown in shell prompts (defaultubuntu-server)shell.banner— banner displayed on connectionshell.fake_user— override username in prompt; empty uses the authenticated userweb.enabled— enable the web dashboard (defaultfalse)web.listen_addr— web dashboard listen address (default:8080)- Session detail pages at
/sessions/{id}include terminal replay via xterm.js
- Session detail pages at
detection.enabled— enable human detection scoring (defaultfalse)detection.threshold— score threshold (0.0–1.0) for flagging sessions (default0.6)detection.update_interval— how often to recompute scores (default5s)notify.webhooks— list of webhook endpoints for notifications (see example config)
Run
./oubliette -config oubliette.toml
Test with:
ssh -o StrictHostKeyChecking=no -p 2222 root@localhost
NixOS Module
Add the flake as an input and enable the service:
{
services.oubliette = {
enable = true;
package = inputs.oubliette.packages.${system}.default;
settings = {
ssh.listen_addr = ":2222";
auth.accept_after = 10;
auth.static_credentials = [
{ username = "root"; password = "toor"; }
];
};
};
}
Alternatively, use configFile to pass a pre-written TOML file instead of settings.