Documentation

Monarx Sentinel

Comprehensive guide to the autonomous server defense agent. Installation, commands, and security features.

Overview

Monarx Sentinel is a lightweight, real-time network monitoring and threat detection system designed for Linux servers. It hooks directly into kernel interfaces (/proc/net/tcp) or system APIs to track every active connection, identify malicious patterns, and provide instant visibility into your infrastructure's network activity.

Core Capabilities

Real-Time Network Monitoring

Monitor all active TCP connections (IPv4/IPv6) with 1-second update intervals. Tracks states like ESTABLISHED, LISTEN, TIME_WAIT, and SYN_RECV.

Process Intelligence

Associates every network connection with its system process (PID) and executable name (e.g., nginx, sshd, node).

Geographic Intelligence

Automatic GeoIP lookup determines city, country, and ISP for all remote IP addresses. Includes reverse DNS resolution.

Threat Detection Engine

Detects SYN floods, port scanning attempts, and connection exhaustion attacks in real-time based on configurable thresholds.

Installation

bash

# Clone the repository

git clone https://github.com/dinexh/Monarx-Sentinel.git

cd Monarx-Sentinel


# Install dependencies (requires root for some features)

pip install -e .


# Run the monitor

monarx-sentinel --monitor

Command Line Interface

Monarx Sentinel is controlled entirely via the CLI. Below are the primary commands available.

--monitor / -m

Quick system snapshot. Shows connection stats, top processes, and threat summary.

--watch / -w

Launches the interactive live dashboard. Auto-refreshes every 3 seconds.

--scan

Runs a security analysis. Use --deep for comprehensive port and config checks.

--alerts / -a

Lists recent security alerts (SYN floods, port scans) with timestamps.

--status / -s

One-line output for health checks. Returns SECURE or ALERT status.

Security & Threat Detection

The engine automatically detects the following attack vectors:

  • SYN Flood: 50+ half-open connections (SYN_RECV) from a single IP.
  • Port Scanning: Probing 5+ different ports within a 10-second window.
  • High Connection Count: 30+ established connections from a single IP (potential botnet).
  • Suspicious Ports: outbound connections to known backdoor ports (4444, 5555, etc).