oneKn8/nutcracker

# Nutcracker A personal, self-hosted host-defense agent for Linux. It gives you x-ray vision into everything leaving your machine, judges each destination against threat intelligence, and blocks what is hostile — driven through natural-language tools. Most people cannot see what their own computer is sending out, or tell a real site from a scam before handing over a card number. Nutcracker is built to answer three questions in plain language: **What is leaving my machine? Am I being spied on? If something attacks, can it be stopped?** It is open source on purpose. Commercial privacy tools are black boxes you pay and trust. Nutcracker is meant to be read, audited, and run entirely on your own hardware — nothing leaves your machine except the lookups you can see in the code. ## Two pillars - **WATCH** — see every outbound connection (which process, where to, how much), judge it (threat-intel match, malware/phishing checks, newly-registered-domain and beacon detection), auto-block high-confidence threats, and alert on the rest. *(v1, in progress.)* - **VANISH** — reduce how trackable you are: encrypted DNS, tracker blocking, anti-fingerprinting guidance, masked email/phone. *(planned.)* ## How it works Nutcracker rides on top of [OpenSnitch](https://github.com/evilsocket/opensnitch), the Linux application firewall. The pipeline: OpenSnitch (sensor + enforcer) -> read the connection log -> enrich (threat intel, ASN/geo, domain age, URL reputation) -> classify (known-bad | suspicious | benign) -> enforce (auto-block known-bad, alert on suspicious) -> persist (local history + block ledger) -> answer questions through MCP tools ### Posture (the decision policy) - **known-bad** (auto-block): threat-intel blocklist hit, Safe Browsing malware/phishing, or malware hostlist hit. - **suspicious** (alert, you decide): first-seen destination, new country for a process, unusual port, beacon-like periodicity, newly-registered domain, or a hosting/ad-tech ASN from a non-browser process. - **benign**: everything else, plus destinations you have explicitly allowed. ## Design notes - **You own your data.** State lives locally (default `~/.nutcracker/`). There is no Nutcracker cloud. - **No secrets in the loop.** It does not need passwords or government IDs. Password/breach checks (when added) use k-anonymity so secrets never leave the machine. - **Honest about limits.** Encrypted (TLS) traffic reveals destinations and volume, not contents. It raises an attacker's cost and catches the realistic majority of trackers, malware, and scams — it is not a guarantee against a targeted adversary. ## Requirements - Linux with [OpenSnitch](https://github.com/evilsocket/opensnitch) installed and running, its connection log set to file mode. On very recent kernels where the eBPF process-monitor module fails to load, set `ProcMonitorMethod: proc`. - Node.js >= 22. - A narrow `sudoers` entry for the bundled helper (writes rule files, terminates processes) — least privilege, no blanket root. ## Develop npm install npm test # unit tests (vitest) npm run typecheck npm run build ## License [Apache-2.0](./LICENSE) (c) 2026 Shifat Islam Santo. See [NOTICE](./NOTICE).

标签：自动化攻击