MCP to provide secure IT tools for AI network troubleshooting (remote ssh, ping, nslookup, etc)
Configuration
View docs{
"mcpServers": {
"andrewhopper-itmcp": {
"command": "python",
"args": [
"-m",
"itmcp.server"
],
"env": {
"USE_DOCKER": "true",
"ALLOWED_HOSTS": "localhost,127.0.0.1,yahoo.com,firewall.local",
"SSH_KEYS_PATH": "/app/secrets/keys",
"DOCKER_CONTAINER": "itmcp_container",
"ALLOWED_DIRECTORIES": "/tmp,/var/log",
"SSH_CREDENTIALS_PATH": "/app/secrets/ssh_credentials.json",
"ALLOWED_REMOTE_COMMANDS": "ls,cat,grep"
}
}
}
}ITMCP provides a secure MCP server that lets AI assistants run network diagnostic and administrative tools inside a Docker sandbox. It enforces strict security through host, directory, and command whitelists while exposing the tools you need to manage networks and systems via MCP.
You connect to the ITMCP server from your MCP client and invoke the available network tools through standardized MCP calls. Start a managed session, then request tools like ping, ssh, or dig to perform diagnostics or administrative tasks inside a sandboxed environment. Use the whitelists to ensure only approved targets, directories, and commands are accessible, and rely on audit logs and session controls to track activity.
Prerequisites you need before installing ITMCP are Python 3.10 or higher and Docker for containerized execution. You also need the MCP library version 1.0.0 or higher.
Step 1: Prepare your environment by ensuring Docker is running and Python is available.
Step 2: Install the ITMCP package in editable mode so you can run the MCP server directly from source.
Step 3: Build and run the Docker sandbox if you are using Docker isolation.
ITMCP uses a YAML-based configuration system and environment variables to control behavior. Two example MCP client configurations are provided to run the server from a local Python process. These configurations show how to enable Docker isolation and to specify security whitelists.
Security is enforced with three whitelists plus session management and audit logging. You configure which hosts, directories, and remote commands are allowed, and you can audit all actions to ensure traceability and tamper-evidence.
Environment variables commonly used include USE_DOCKER, DOCKER_CONTAINER, ALLOWED_HOSTS, ALLOWED_DIRECTORIES, and ALLOWED_REMOTE_COMMANDS. These control how ITMCP runs and what it can access.
Two sample configurations show how to connect ITMCP to your MCP client. The first runs ITMCP in a Docker-enabled local server, while the second expands the security scope with additional whitelists.
{
"servers": [
{
"name": "itmcp",
"command": ["python", "-m", "itmcp.server"],
"environment": {
"USE_DOCKER": "true",
"DOCKER_CONTAINER": "itmcp_container",
"ALLOWED_HOSTS": "localhost,127.0.0.1,yahoo.com,firewall.local"
}
}
]
}If you encounter issues, check session management and audit logs for anomalies, verify that the Docker sandbox is active and isolated, and ensure your client-provided whitelists match your intended usage. Regularly update the ITMCP components and dependencies to benefit from security patches.
Connect to a target via SSH and run commands inside the sandbox
Send ICMP echo requests to verify connectivity to a host
Perform DNS lookups for a hostname or IP address
Test TCP connectivity to a host and port via Telnet-like interface
Perform DNS lookups using the dig command
Capture network packets for a short, controlled duration
List running processes inside the sandbox
Display contents of a file securely
Show a snapshot of system processes
Search for patterns in files within allowed directories
Display the beginning of a file
Display the end of a file