Stop brute-force IPs and suspicious web payloads on a small Linux server in minutes, without deploying a full SIEM or heavyweight EDR stack.
### GitHub profile
Mini-HIDS is a lightweight Linux host intrusion detection tool built with the Python standard library. It focuses on three things that are easy to operationalize on small servers:
It also exposes both a JSON CLI and a minimal MCP server, so AI agents can inspect status, read alerts, query the blacklist, and trigger ban or unban actions through a standard tool interface.
## Why This Exists
Most open-source security tools are optimized for human operators first. Mini-HIDS is intentionally small enough to understand quickly, script easily, and embed into agent workflows without a large control plane.
This repository is a good fit if you want:
This repository is not a good fit if you need:
## Architecture
mini_hids.py: long-running daemon that tails logs, tracks attack windows, bans IPs, and rescans web rootshids_cli.py: JSON-only control-plane CLI for operators and agentshids_common.py: shared config loading, SQLite helpers, IP validation, and firewall backendsmcp_server.py: stdio MCP adapter that exposes Mini-HIDS actions as agent-callable toolsconfig.json: runtime configuration loaded by both the daemon and the CLIllms.txt: LLM-oriented project map for AI search and coding assistants## Quick Start
```bash
git clone https://github.com/netkr/mini-hids.git
cd mini-hids
```
Adjust config.json, then start the daemon:
```bash
sudo python3 mini_hids.py
```
Use the JSON CLI:
```bash
python3 hids_cli.py --action status
python3 hids_cli.py --action get_alerts --lines 20
python3 hids_cli.py --action get_blacklist
python3 hids_cli.py --action ban --ip 192.168.1.100 --reason "manual ban"
python3 hids_cli.py --action unban --ip 192.168.1.100
```
## Use With AI Agents
Mini-HIDS now ships with a local MCP server. That means tools like Cursor, Claude Desktop, and other MCP-compatible clients can call the project directly instead of shelling out ad hoc.
Run the MCP server:
```bash
python3 mcp_server.py
```
Example client config:
```json
{
"mcpServers": {
"mini-hids": {
"command": "python3",
"args": ["/absolute/path/to/mini-hids/mcp_server.py"]
}
}
}
```
A ready-to-copy sample is also included at examples/claude_desktop_mcp.json.
Available MCP tools:
mini_hids_statusmini_hids_get_alertsmini_hids_get_blacklistmini_hids_ban_ipmini_hids_unban_ipThis is the practical replacement for a fake "one-click deploy" button. Mini-HIDS needs local log access and firewall privileges, so local or server-side MCP integration is the correct deployment model.
## CLI Output
All CLI commands return JSON. Example:
```json
{
"success": true,
"data": {
"is_running": true,
"pid": 12345,
"firewall_backend": "iptables"
}
}
```
## Requirements
iptablesnftfail2ban-client## Configuration
Edit config.json instead of modifying the Python files.
```json
{
"LOG_PATHS": {
"auth": ["/var/log/auth.log", "/var/log/secure"],
"web": ["/var/log/nginx/access.log", "/var/log/apache2/access.log"],
"mysql": ["/var/log/mysql/mysql.log", "/var/log/mysql/error.log"]
},
"BAN_TIME": 3600,
"TRUSTED_IPS": ["127.0.0.1", "192.168.1.1"],
"WEB_ROOT": ["/var/www/html", "/var/www"],
"BLACKLIST_DB": "blacklist.db",
"ALERT_LOG": "hids_alert.log",
"PID_FILE": "mini_hids.pid",
"MAX_FAILURES": 5,
"WINDOW_SECONDS": 300,
"CHECK_INTERVAL": 1,
"WEBSHELL_SCAN_INTERVAL": 3600
}
```
Notes:
BLACKLIST_DB, ALERT_LOG, and PID_FILE can be absolute paths. If they are relative, they are created in the project directory.CHECK_INTERVAL controls how often the daemon checks for expired bans.WEBSHELL_SCAN_INTERVAL controls how often the daemon rescans web roots.TRUSTED_IPS are never banned by the daemon or the CLI.## Security Notes
TRUSTED_IPS carefully to avoid locking yourself out.## Limitations
nftables support uses a dedicated mini_hids table and timeout-enabled sets, so existing firewall policies should still be reviewed before production use.## v1.2 Release Notes
共 1 个版本