HN Reader

Ask HN: With AI bubble burst imminent, where do you put your money?

4 points by munchausen42 1h ago 15 comments

Ask HN: What is so good about MCP servers?

30 points by metadat 13h ago 31 comments

The missing analytics platform for landing pages. What do you think?

4 points by coursecrumbs 6h ago 9 comments

Ask HN: Good Starting OS for Children?

3 points by kqr 6h ago 4 comments

Tell HN: Online Safety Act to be enforced in the UK on July 25th

13 points by trycatchthroawy 16h ago 6 comments

Ask HN: Help me navigate a PIP at a remote startup in the Netherlands

18 points by msoad 1d ago 14 comments

Ask HN: Why do Cursor, Windsurf and Claude Code dominate the conversation?

25 points by bluelightning2k 4d ago 35 comments

Remove All AI Features from Firefox

43 points by nabla9 2d ago 7 comments

Mineral exploration startups are the tech startups of the physical world

4 points by unicorn_chaser 20h ago 0 comments

Ask HN: How did you navigate an illegal termination?

5 points by infoseekadvice 21h ago 4 comments

Ask HN: Python developers at big companies what is your setup?

32 points by ravshan 2d ago 33 comments

Ask HN: Why is Gmail so incompetent at basic search?

57 points by sn9 3d ago 57 comments

I'm Peter Roberts, immigration attorney who does work for YC and startups. AMA

162 points by proberts 7d ago 265 comments

Ask HN: Is anybody using llama.cpp for production?

11 points by HardikVala 1d ago 1 comments

Ask HN: Has anyone deployed LLMs to production?

13 points by saaspirant 1d ago 5 comments

Ask HN: How many of you are working in tech without a STEM degree?

15 points by zebproj 2d ago 21 comments

Ask HN: How do you avoid AI slop on YouTube?

5 points by npteljes 18h ago 7 comments

Ask HN: Any active COBOL devs here? What are you working on?

243 points by _false 7d ago 187 comments

Ask HN: What Speaker Diarization tools should I look into?

11 points by justforfunhere 3d ago 8 comments

Google admits system failure but claims "technical impossibility" to fix it

4 points by CBlakeley 17h ago 1 comments

Ask HN: Copilot Makes Me Dumb

5 points by ynarwal__ 1d ago 10 comments

Ask HN: What's Your Useful Local LLM Stack?

91 points by Olshansky 9d ago 52 comments

MatrixTransformer: Structural Pattern Discovery Without Training

3 points by AyodeleFikayomi 1d ago 0 comments

Ask HN: How to find non-popular blogs and forums?

27 points by dominicq 4d ago 20 comments

Ask HN: What Pocket alternatives did you move to?

125 points by ahmedfromtunis 7d ago 143 comments

Most interesting job openings according to ChatGPT

4 points by jobswithgptcom 1d ago 3 comments

Show HN: TheProtector – Linux Bash script for the paranoid admin on a budget

161 lotussmellsbad 35 7/23/2025, 6:37:48 PM github.com ↗
Hi HN,

I spent the past year building this in my spare time because I got tired of enterprise security tools that cost $50K/year and don't understand Linux.

TheProtector is a comprehensive security monitoring tool that actually runs on the systems we use (Linux) instead of being a Windows-first afterthought. Built it entirely on a $500 laptop because I believe good security shouldn't require unlimited budgets.

Features: - Real-time process, network, and file monitoring - YARA malware detection with custom rules - eBPF kernel monitoring (when available) - Behavioral baseline establishment and anomaly detection - Active threat response (blocks IPs, kills processes, quarantines files) - Anti-evasion detection for rootkits and advanced threats - Honeypots for attack detection - Web dashboard for monitoring - Single bash script, no complex installation

The tagline is "not perfect but better than most" because I'm tired of security vendors claiming their tools are flawless. This actually works, costs $0, and you can read every line of code.

I know bash isn't the sexy choice for security tools, but it runs everywhere, has zero dependencies, and most Linux admins can read/modify it. Sometimes boring technology that works is better than fancy technology that doesn't.

It's designed for the intersection of "paranoid about security" and "don't have enterprise budgets" - which describes most of us actually running Linux systems.

GitHub: https://github.com/IHATEGIVINGAUSERNAME/theProtector

Been running it on my own systems for months. Catches the stuff that matters and doesn't flood you with false positives. If you hate expensive security theater as much as I do, might be worth a look.

Open to feedback, especially from folks who know more about this stuff than I do.

Thanks, IHATEGIVINGAUSERNAME (yes, I really do hate giving usernames)

Comments (35)

monch1962 · 1d ago
I love this implementation approach.

At first glance I questioned your choice of bash over something like Python, but you're right - bash is everywhere and every competent Linux admin knows how to use it. There's a zillion unprotected Linux servers out there where this would be very handy.

In terms of next steps, it might be worth documenting more about the notification framework and some simple examples of how we might use it. I can see you've mentioned integrations with email, Slack and webhooks in the tech paper, but I can't spot anything about how to use them

Congratulations on a really worthy project

justaj · 15h ago
> bash is everywhere

...except on systems like Alpine Linux and other such minimal distributions.

panphora · 1d ago
As someone who runs production services but isn't a full-time sysadmin, I evaluated this script before thinking about deploying it.

Here's what you should know:

The Good: It's a comprehensive monitoring solution that actually catches real threats. The YARA integration, eBPF monitoring, and honeypot features are impressive for a bash script.

Security Issues:

1. Command injection in process monitoring - Initially looked like a vulnerability because the code uses xargs basename on process names, which seemed dangerous. However, process names from ps output are already sanitized by the kernel (limited to 15 chars, no shell metacharacters executed).

2. Executing Python scripts from /tmp as root - Real privilege escalation vulnerability. Ghost Sentinel writes to world-writable /tmp then executes as root. Any local user can overwrite the file between write and execute to gain root. Trivial to exploit with inotify or loop, 100% reliable. Turns any compromised service account into root access. Fix: use root-owned directory instead of /tmp.

Email Configuration - Gmail will block direct server emails. Install msmtp and configure it with your Gmail app password (not regular password) to get theProtector to use msmtp's mail command:

  # Install
  sudo apt-get install msmtp msmtp-mta
  
  # Configure ~/.msmtprc (for root since script runs as root)
  sudo tee /root/.msmtprc << 'EOF'
  defaults
  auth           on
  tls            on
  tls_trust_file /etc/ssl/certs/ca-certificates.crt
  account        gmail
  host           smtp.gmail.com
  port           587
  from           your-email@gmail.com
  user           your-email@gmail.com
  password       your-app-password
  account default : gmail
  EOF
  
  sudo chmod 600 /root/.msmtprc
Uninstall TheProtector:

  # Remove cron job
  crontab -l | grep -v ghost_sentinel | crontab -
  
  # Remove systemd timer (if installed)
  sudo systemctl disable ghost-sentinel.timer 2>/dev/null
  
  # Remove logs and data
  sudo rm -rf /var/log/ghost-sentinel
Auto-update concerns: The script does NOT auto-update. self_update() only runs when you explicitly execute ./the_protector.sh update

Performance note: On resource-constrained VPS instances, set ENABLE_EBPF=false and MAX_FIND_DEPTH=1

I'm deploying a patched version this week. The creator spent a year on this and it shows - the eBPF/YARA integration is impressive. They should set up GitHub Sponsors or a donation link. It's better than many commercial solutions I've seen.

thwarted · 1d ago
> However, process names from ps output are already sanitized by the kernel (limited to 15 chars, no shell metacharacters executed).

I'm not sure what this is referring to. You can easily create a binary named ' (single quote, a shell meta character) and it will show up in ps (and /proc/pid/cmdline and /proc/pid/status) as a single quote. If you name a binary with a control character, it will show up in ps as ? (a shell metacharacter), and in /proc/$pid/cmdline and /proc/$pid/status as the control character itself (I named a binary as the single ASCII character 7, bell, and catting /proc/$pid/{cmdline,status} plays the as interpreted by the terminal program).

Recent versions of ls display these directory entries quoted for select-and-paste ease as:

   $ ls -l ? # used ? here to match both files that are a single character
   -rwxr-xr-x 2 thwarted thwarted 1769980 Jul 23 19:53 ''$'\a'
   -rwxr-xr-x 2 thwarted thwarted 1769980 Jul 23 19:53 "'"
This was with kernel 5.14 and procps-ng-3.3.17.

Formatted by ls, the ^G file can be given to xargs, and the terminal plays a bell, but the single quote filename can not:

   $ ls -1 /tmp/? | xargs -t -n 1 basename
   basename '/tmp/'$'\a'
   xargs: unmatched single quote; by default quotes are special to xargs unless you use the -0 option
Being able to null-byte delimit the input to xargs may make a difference here.

Anyway, you can't trust the content of what ps shows as the commandline pointing to an actual existing binary. The command line isn't always absolute. The best way to find the binary is probably by examining where the symlink /proc/$pid/exe points to, and getting the basename off of that, but that is not guaranteed to be shell-safe either, so YMMV.

lotussmellsbad · 1d ago
This is why I released it - I am one person and know I need this community to make it something more
bravesoul2 · 1d ago
Thanks from the community for your insights
bugsMarathon88 · 1d ago
This cannot conscientiously be called a security tool, as it lacks:

- author attribution (in fact, a mockery is made of it)

- qualified independent security review and endorsement

- designs justifying irrational decisions such as unilateral superuser execution

- any sort of testing, validation or significant documentation of code functionality

- steps to undo whatever this does (since anything is possible, as all liability is explicitely disavowed)

This is not meant to discourage development, but such software should have a clear an EXPERIMENTAL disclaimer and not purport to secure anything; primum non nocere.

lotussmellsbad · 1d ago
I do not disagree and wanted to keep it true to the linux community and thought - "these guys can make it better and improve at the cost of time versus $$" add to it and improve it
FergusArgyll · 1d ago
I would probably delete the self_update function[0] if I were to use this, otherwise this is cool!

https://github.com/IHATEGIVINGAUSERNAME/theProtector/blob/ma...

nullc · 1d ago
Wouldn't be a faithful replacement for enterprise tools if it didn't introduce a new "trust us" backdoor into your systems. :P
lotussmellsbad · 1d ago
ha and good catch
CodePoint · 15h ago
"I spent the past year building this in my spare time because I got tired of enterprise security tools that cost $50K/year and don't understand Linux." You should have written it as a learning opportunity. To think you can replace such tools seems rather arrogant -- Experienced professionals with decades of experience worked on them. You're just 1 person, and it seems like you may be new.

"TheProtector is a comprehensive security monitoring tool that actually runs on the systems we use (Linux) instead of being a Windows-first afterthought. Built it entirely on a $500 laptop because I believe good security shouldn't require unlimited budgets." After reviewing the code it doesn't seem very comprehensive. As some others have pointed out it appears to be mostly AI-generated. Again, as a learning opportunity this isn't a bad exercise, but I also probably wouldn't brag about it being comparable to tools that were made by teams of people who are likely far more knowledgeable when it comes to designing such tools.

"Been running it on my own systems for months. Catches the stuff that matters and doesn't flood you with false positives. If you hate expensive security theater as much as I do, might be worth a look." I should also probably address the elephant in the room: Your github account is only 2 days old (as of this writing). Additionally the initial commit to the repository was made on July 23rd, 2025. Based on the commit history (and based on the files that were committed) it looks like this was created with AI in the span of a couple days.

I'm sure a 'security-minded' individual such as yourself sees the problem here: a monolithic script from some random person on the internet purporting to have developed something to help secure my system... I wouldn't touch it with a 10-foot pole.

Something about this post stinks to me. Smells like somone trying to phish for installs. Seems like something an intelligence agency would do: post something like this in several places hoping somone runs it.

_QrE · 1d ago
Neat, but isn't packing all this stuff into a bash script overkill? You can pretty easily install and configure some good tools (i.e. crowdsec, rkhunter, ssh tarpit or whatever) to cover each of the categories rather than have a bunch of half-measures.

Also, you're calling this TheProtector, but internally it seems to be called ghost sentinel?

> local update_url="https://raw[dot]githubusercontent[dot]com/your-repo/ghost-se..."

vanviegen · 1d ago
Congratulations on your release! That packs a lot of functionality in a surprisingly small and readable (and thus auditable) shell script. Great work!

One thing though: I can imagine you being rather anonymous (no real name, new HN account, new GitHub account) might make people a bit nervous around a security tool. You probably have good reasons for that, but if not.. you might want to reconsider and take credit?

subscribed · 1d ago
This is them taking the credit under the assumed pen name.
sevg · 1d ago
The tech paper is LLM trash. Doesn’t bode well for the code, not just because it’s a gigantic bash script..
webprofusion · 1d ago
Would love to see the prompts used. I can tell from the formatting etc this is AI built, nothing wrong with that.
lotussmellsbad · 1d ago
organically?? thanks though!!
rfkjrjr · 1d ago
"Built by thelotus over a year of free time. Maintained by thelotus. Given away free because expensive security theater is stupid." Who / what is the lotus?
lotussmellsbad · 1d ago
I hate the idea of hats - I like the idea of the Lotus growing in something dirty but uses the filth in ponds to make something beautiful

No comments yet

globalnode · 1d ago
This is great. I'm currently trying to use Linux more due to Recall but in terms of security I'm just not sure what I'm doing most of the time. I suppose I should go read a book about it. Any suggestions on that front? Anyway, a tool like this (if trustworthy) would go a long way to helping me in this area. Also I do like that its in bash and not compiled.
_def · 1d ago
Was this made with LLMs?
kirab · 1d ago
I believe so, a human programmer would feel ashamed for adding comments like these:

  # Stop honeypots
  stop_honeypots
  
  # Stop eBPF monitoring
  stop_ebpf_monitoring
  
  # Stop API server
  stop_api_server
Source: https://github.com/IHATEGIVINGAUSERNAME/theProtector/blob/b1...
lotussmellsbad · 1d ago
no - some of what you see is the place holders when framing it - I did read a stuff from - The Practice - Blue Team Field Manual - Linux Hardening - UNIX and Linux System Admin - now the the grammar is clean up is slop by Ollama Llama 3 - I framed into a gui
lotussmellsbad · 1d ago
Thanks for all the comments and feedback - the one I run is plugged - has a brain - and can hook - Ill update in a few days with some of the features - if curious and I run a handle name because it would not take much to be more
somehnguy · 1d ago
What's up with the "tech paper"? It's completely packed with nonsense claims
kfrzcode · 1d ago
It's LLM slop. I have done enough of these "projects" with every major model over the last six weeks to recognize it instantly. There are non-subtle patterns I would enumerate if I weren't quite this tired.
lotussmellsbad · 1d ago
Fair - the write up could def be cleaner and was corrected using Ollama I framed in. The bash is not slop and why I use a another name - I do not want to get wrapped up in formatting vs function - in the spirit of open source here - make it better and fully anticipating I would get comments - honestly - I do not have the skill set (or desire) to strip LLM of guard rails - it was fun and worked on it for sometime - I work database and front end and rebuild radios (part time) in the real world and needed something for a personal project/goal
xalg · 1d ago
I really like the simplicity. I have added it to a test server and will see how it goes. Congrats on releasing your project.
lotussmellsbad · 1d ago
same - not perfect and just a start and see how the community can add to it!
ropable · 1d ago
A self-contained Bash script and short enough to evaluate thoroughly in an hour or two. Bravo, OP.
indigodaddy · 1d ago
Really cool and interesting, good work.
lotussmellsbad · 1d ago
thanks - it is still a work in progress but please add to it but needed the community to evolve it
BLKNSLVR · 1d ago
I will check this out, I love the idea.
lotussmellsbad · 1d ago
thanks - enjoy and take it to the next level - share it