TheProtector: Bash Based

Linux Bash Script for the Paranoid Admin on a Budget - real-time monitoring and active threat response

Linux security tool for the paranoid on a budget - not perfect but better than most

TheProtector is comprehensive security monitoring for Linux systems. Built for DEfense Only

TheProtector monitors your Linux system in real-time and actively responds to threats:

Real-time Monitoring:

• Process execution and behavior analysis
• Network connections and traffic patterns
• File system changes and integrity checking
• User activity and privilege escalation attempts
• System resource usage and anomalies
• Kernel-level activity via eBPF (when available)

Active Threat Response:

• Automatically blocks malicious IP addresses
• Terminates suspicious processes immediately
• Quarantines detected malware with forensic preservation
• Restores modified critical system files from backups
• Kills reverse shell connections and C2 communications

Advanced Detection:

• YARA rule scanning for malware signatures
• Behavioral baseline learning and anomaly detection
• Anti-evasion techniques to defeat rootkits and process hiding
• Honeypot services to detect reconnaissance attempts
• Threat intelligence integration with automatic updates

Management Interface:

• Web dashboard for real-time monitoring
• JSON output for SIEM integration
• Comprehensive logging with integrity verification
• Alert categorization by severity level
• Historical analysis and reporting

• bash (4.0 or higher)
• curl or wget
• awk, grep, sed
• netstat or ss
• iptables
• cron (for scheduled scans)

• yara - Malware signature scanning
• jq - JSON processing and pretty output
• inotify-tools - Real-time file monitoring
• netcat - Network honeypot services
• bcc-tools - eBPF kernel monitoring (requires root)

Ubuntu/Debian:

CentOS/RHEL/Fedora:

Arch Linux:

• Linux (any distribution)
• Root access (required for kernel monitoring and active response)
• Minimum 512MB RAM
• 100MB disk space for logs and quarantine
• Network access for threat intelligence updates

TheProtector works immediately without configuration. To customize:

Key Settings:

• MONITOR_NETWORK - Enable network connection monitoring
• ENABLE_HONEYPOTS - Deploy honeypot services for attack detection
• ENABLE_YARA - Scan files with YARA malware rules
• THREAT_INTEL_UPDATE - Automatically update threat intelligence feeds
• API_PORT - Web dashboard port (default 8080)
• LOG_RETENTION_DAYS - How long to keep logs (default 30)

• Script: ./theprotector.sh
• Configuration: /etc/theprotector/theprotector.conf
• Logs: /var/log/theprotector/
• Alerts: /var/log/theprotector/alerts/
• Quarantine: /var/log/theprotector/quarantine/
• Baselines: /var/log/theprotector/baselines/

Malware and Rootkits:

• Cryptocurrency miners
• Webshells and backdoors
• Kernel rootkits
• Process injection attacks
• Fileless malware
• Memory-resident threats

Network Attacks:

• Port scanning and reconnaissance
• Brute force login attempts
• Command and control communications
• Data exfiltration attempts
• Lateral movement
• Reverse shell connections

System Compromise:

• Unauthorized privilege escalation
• New user account creation
• Critical file modifications
• Suspicious process execution
• Persistence mechanism installation
• Configuration tampering

TheProtector is designed for continuous operation:

• Memory usage: Approximately 50MB RAM
• CPU impact: Less than 2% on modern systems
• Disk usage: Grows with log retention settings
• Network impact: Minimal, only threat intelligence updates

TheProtector provides a solid security foundation but has limitations:

• Not a complete SIEM - Lacks enterprise reporting and compliance features
• Bash-based - Some prefer compiled languages for security tools
• Linux only - Does not monitor Windows or macOS systems
• Root required - Needs elevated privileges for kernel monitoring
• Community supported - No vendor support or SLA

For most use cases, these limitations are not problems. For enterprise compliance requirements, additional tools may be needed.

Permission denied errors:

Missing dependencies:

High resource usage:

Web dashboard not accessible:

This is a community project. Contributions are welcome:

• Bug reports: Open an issue with system details and error messages
• Feature requests: Describe your use case and requirements
• Code contributions: Submit pull requests with clear descriptions
• Documentation: Help improve installation guides and examples
• Testing: Try on different distributions and report compatibility

• Issues: Use GitHub issue tracker
• Questions: Check existing issues and documentation first
• Community: GitHub discussions for general questions

This is free software provided as-is. No warranties or guarantees, but genuine effort to help the Linux security community.

GNU General Public License v3.0

You are free to use, modify, and distribute this software. Any modifications must also be released under GPL v3.

I built TheProtector over the past year in my free time because:

1. Security should be accessible - Not just for Fortune 500 companies
2. Tools should work - Detection without response is useless
3. Simplicity wins - Complex tools break in production
4. Open source is better - Transparent security you can trust and modify
5. Budget constraints drive innovation - Good security doesn't require unlimited budgets

Merry Christmas, Linux community.

This is my gift to you - a year of evenings and weekends building something that actually works. If you don't like it, cool. Make it better.

I maintain this in my spare time and give it away free because security tools shouldn't cost more than a car payment.

Not perfect, but better than what you're paying for.

Built by thelotus over a year of free time. Maintained by thelotus. Given away free because expensive security theater is stupid.