explaingit

pasanrs/sentry-hardening

Analysis updated 2026-05-18

0ShellAudience · ops devopsComplexity · 3/5LicenseSetup · easy

TLDR

A shell script suite that hardens Debian-based Linux systems against common attacks and runs a real-time watchdog that alerts on suspicious changes.

Mindmap

mindmap
  root((Sentry))
    Hardening
      Bluetooth Blacklist
      Discovery Protocols Off
      USB Auto-mount Off
      Firewall Rules
    Watchdog
      Process Monitoring
      Port Monitoring
      Binary Integrity
    Notifications
      Terminal Alerts
      Desktop Popups
      Log File
    Persistence
      Systemd Services
      Cron Re-check

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Lock down a fresh Debian or Ubuntu install against Bluetooth, USB, and network discovery attack vectors in one command.

USE CASE 2

Run a background watchdog that alerts you the moment a hardened service is tampered with or a new port opens.

USE CASE 3

Re-apply hardening automatically after system updates using a single status-check command.

USE CASE 4

Get desktop or terminal alerts when a new unknown USB device is plugged into a protected machine.

What is it built with?

ShellsystemdUFWiptables

How does it compare?

pasanrs/sentry-hardening123satyajeet123/bitnet-serveralexbloch-ia/legal-data
Stars000
LanguageShellShellShell
Setup difficultyeasyeasymoderate
Complexity3/52/52/5
Audienceops devopsdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Requires sudo and a Debian-based, systemd-managed Linux distribution.

MIT license: use, modify, and distribute freely, including commercially, as long as you keep the copyright notice.

In plain English

Sentry is a security hardening and real-time monitoring suite for Debian-based Linux systems, packaged as a shell script. It does two jobs: locking down your system's attack surface, and then continuously watching for changes or suspicious activity. The hardening phase disables services and protocols that attackers commonly probe. Bluetooth is fully blacklisted at the kernel level. Network discovery services such as mDNS, Avahi, Samba broadcasting, and printer discovery are shut down. USB auto-mount is disabled to protect against BadUSB attacks, which are malicious USB devices that pretend to be keyboards. WiFi is configured for MAC address randomization and power-save stealth mode. A firewall using UFW and iptables blocks discovery protocols, and kernel security parameters are applied including SYN cookies and source routing disabled. The watchdog runs as a persistent background service and alerts you if anything changes: processes running from temporary directories, hardened services trying to restart, new ports appearing on the network, blacklisted kernel modules being loaded, firewall rules being altered, critical system binaries being modified, new outbound network connections, or new USB devices being inserted. Alerts appear as colored terminal output, broadcast messages to all logged-in users, desktop popups if a graphical interface is available, and entries in a dedicated log file. Hardening rules are reapplied every 15 minutes via a cron job and restored on every boot via systemd services. Tested on Debian 12, Ubuntu 24.04 LTS, Kali Linux, Parrot Security, and Linux Mint 22. The tech stack is Shell scripting, systemd, UFW, and iptables. The license is MIT.

Copy-paste prompts

Prompt 1
Walk me through installing Sentry and running 'sudo ./sentry.sh install' to harden a fresh Debian 12 server.
Prompt 2
Explain what BadUSB protection means and how disabling USB auto-mount defends against it.
Prompt 3
Show me how Sentry's watchdog detects firewall tampering and automatically reapplies iptables rules.
Prompt 4
Help me write a systemd timer similar to Sentry's 15-minute cron re-check for re-applying security rules.

Frequently asked questions

What is sentry-hardening?

A shell script suite that hardens Debian-based Linux systems against common attacks and runs a real-time watchdog that alerts on suspicious changes.

What language is sentry-hardening written in?

Mainly Shell. The stack also includes Shell, systemd, UFW.

What license does sentry-hardening use?

MIT license: use, modify, and distribute freely, including commercially, as long as you keep the copyright notice.

How hard is sentry-hardening to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is sentry-hardening for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.