Torjus Håkestad
75bac814d4
Adds nixos-module.nix with services.oubliette options (enable, package, settings, configFile) and a hardened systemd service. Exposes the module as nixosModules.default in flake.nix. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
71 lines
1.5 KiB
Markdown
71 lines
1.5 KiB
Markdown
# Oubliette
|
|
|
|
An SSH honeypot that logs login attempts, presents fake shells to "successful" logins, and tries to detect when a real human is poking around.
|
|
|
|
Named after the medieval dungeon - a place you throw people into and forget about them.
|
|
|
|
## Status
|
|
|
|
Early development. See `PLAN.md` for the roadmap.
|
|
|
|
## Usage
|
|
|
|
### Build
|
|
|
|
```sh
|
|
# With Nix
|
|
nix build
|
|
|
|
# With Go
|
|
nix develop -c go build ./cmd/oubliette
|
|
```
|
|
|
|
### Configure
|
|
|
|
Copy and edit the example config:
|
|
|
|
```sh
|
|
cp oubliette.toml.example oubliette.toml
|
|
```
|
|
|
|
Key settings:
|
|
- `ssh.listen_addr` — listen address (default `:2222`)
|
|
- `ssh.host_key_path` — Ed25519 host key, auto-generated if missing
|
|
- `auth.accept_after` — accept login after N failures per IP (default `10`)
|
|
- `auth.credential_ttl` — how long to remember accepted credentials (default `24h`)
|
|
- `auth.static_credentials` — always-accepted username/password pairs
|
|
|
|
### Run
|
|
|
|
```sh
|
|
./oubliette -config oubliette.toml
|
|
```
|
|
|
|
Test with:
|
|
|
|
```sh
|
|
ssh -o StrictHostKeyChecking=no -p 2222 root@localhost
|
|
```
|
|
|
|
### NixOS Module
|
|
|
|
Add the flake as an input and enable the service:
|
|
|
|
```nix
|
|
{
|
|
services.oubliette = {
|
|
enable = true;
|
|
package = inputs.oubliette.packages.${system}.default;
|
|
settings = {
|
|
ssh.listen_addr = ":2222";
|
|
auth.accept_after = 10;
|
|
auth.static_credentials = [
|
|
{ username = "root"; password = "toor"; }
|
|
];
|
|
};
|
|
};
|
|
}
|
|
```
|
|
|
|
Alternatively, use `configFile` to pass a pre-written TOML file instead of `settings`.
|