netops-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@netops-mcpping google.com"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
NetOps MCP
A Model Context Protocol server that exposes
26 network and system diagnostic tools — ping, traceroute, mtr, nmap,
DNS queries, HTTP requests, and system monitoring — to MCP clients such as
Claude Desktop, Claude Code, and Cursor. Each tool is a thin, input-validated
wrapper around a standard OS utility. Two transports are supported: stdio
(the client launches the server as a subprocess) and HTTP (a long-running
server with auth, rate limiting, and metrics).
Features
Connectivity —
ping,traceroute,mtr,telnet,netcatDNS —
nslookup,dig,hostHTTP / API —
curl,httpie,api_testDiscovery & scanning —
nmap_scan,service_discovery,port_scan,service_enumerationNetwork state —
ss,netstat,arp,arpingSystem monitoring — status, CPU, memory, disk, process list, tool availability
Related MCP server: Keel
Requirements
Python >= 3.10 and uv (recommended)
Linux or macOS — the network tools are OS-specific; Windows is not supported
System tools on
PATH(availability is checked at startup):curl,ping,traceroute,mtr,telnet,nc,nmap,ss,netstat,arp,arping,nslookup,dig,host.httpieis optional.
Installation
git clone https://github.com/alpadalar/netops-mcp.git
cd netops-mcp
# Using uv (recommended)
uv venv
source .venv/bin/activate
uv pip install -e .# pip
python -m venv .venv && source .venv/bin/activate
pip install -e .
# Docker (HTTP mode) — see Authentication before first run
docker compose up -dQuick Start
stdio (no auth)
uv run netops-mcp # or: python -m netops_mcp.serverPoint an MCP client at this command (see below).
HTTP
HTTP mode requires an API key by default and refuses to start without one — see Authentication. Once a key is configured:
# Pass the config that holds your API key — without it the server loads
# built-in defaults (require_auth: true, no keys) and fails fast.
python -m netops_mcp.server_http --config config/config.json --host 0.0.0.0 --port 8815
# or: NETOPS_MCP_CONFIG=config/config.json python -m netops_mcp.server_http
# or: ./start_http_server.sh (defaults to config/config.json)
curl http://localhost:8815/health # health check (no key required)Authentication
Breaking change (0.1.0): HTTP mode now requires an API key by default (
security.require_authdefaults totrue). stdio mode is unaffected (local transport, no auth).
On a fresh checkout the HTTP server fails fast before binding the port when no key is configured, printing copy-paste setup instructions plus a freshly generated example key (never activated automatically).
1. Generate a key. The plain key is printed once (never stored);
--config writes only its sha256: digest and enables require_auth:
python scripts/generate_api_key.py # print a plain key
python scripts/generate_api_key.py -n 2 --config config/config.json # write digestsFlags: -n/--count, -l/--length (default 32), --hash, --json,
--config PATH. To hash an existing key:
python -c "import hashlib;print('sha256:'+hashlib.sha256(b'YOUR-KEY').hexdigest())".
2. Configure. Only sha256:<64-hex> digests are accepted — plain keys are
rejected at config load time:
{ "security": { "require_auth": true, "api_keys": ["sha256:<hex-digest-of-your-key>"] } }3. Authenticate. Clients send the plain key (the server stores and compares only the digest, in constant time). Any of three headers works:
curl -H "Authorization: Bearer YOUR-KEY" http://localhost:8815/netops-mcp
curl -H "X-API-Key: YOUR-KEY" http://localhost:8815/netops-mcp
curl -H "API-Key: YOUR-KEY" http://localhost:8815/netops-mcpA keyless request returns 401; an invalid key returns 403. /health is
always public; /metrics requires the key while auth is enabled (it is only
public when require_auth: false).
Opt out (only on trusted, isolated networks):
{ "security": { "require_auth": false } }Host/port/path resolve as CLI flags > config server section > built-in
defaults (0.0.0.0 / 8815 / /netops-mcp). --config falls back to
$NETOPS_MCP_CONFIG when omitted.
Configuration
Configuration is loaded from a JSON file (config/config.json by default, or
$NETOPS_MCP_CONFIG) and validated by Pydantic models. Copy the fully
documented config/config.example.json to get
started. Only five environment variables are read; everything else lives in the
JSON file.
Env var | Effect |
| Forwarded by |
| Path to the JSON config file (used when |
| Line-buffered stdout for container logs |
Most-used config keys (the full model-derived table is regenerable with
python scripts/gen_config_table.py):
Key | Default | Effect |
|
| Require an API key for HTTP mode; fails fast at startup without one |
|
| Accepted keys as |
|
| Enable privileged nmap scans ( |
|
| Sliding-window rate limit per client (requests / seconds) |
|
| Enable CORS (wildcard origin + credentials is rejected at load) |
|
| Upper bound for scan timeouts (seconds) |
|
| HTTP bind address, port, and MCP endpoint path |
MCP Client Configuration
stdio (Claude Desktop / Cursor)
Add to claude_desktop_config.json (Claude Desktop) or .cursor/mcp.json
(Cursor):
{
"mcpServers": {
"netops-mcp": {
"command": "uv",
"args": ["run", "netops-mcp"],
"cwd": "/absolute/path/to/netops-mcp"
}
}
}Claude Code adds the same server with one command:
claude mcp add netops-mcp -- uv run netops-mcpHTTP + API key
Point a client at a running HTTP server, sending the plain key as a header
(.mcp.json / .cursor/mcp.json):
{
"mcpServers": {
"netops-mcp": {
"type": "http",
"url": "http://localhost:8815/netops-mcp",
"headers": { "X-API-Key": "YOUR-KEY" }
}
}
}Claude Code can add the same in one command:
claude mcp add --transport http netops-mcp http://localhost:8815/netops-mcp --header "X-API-Key: YOUR-KEY".
Security
Inputs are validated to prevent command injection, and HTTP/scan targets are
resolved then classified so requests to loopback, link-local, and cloud
metadata addresses are blocked by default (private/LAN ranges are allowed).
Privileged nmap scans are gated behind config. In production, run HTTP mode
behind a reverse proxy (nginx, Caddy) for TLS — never expose the plain HTTP port
to the internet. The Docker image runs as a non-root user with only NET_ADMIN
NET_RAWcapabilities and 2 CPU / 1 GB limits (docker-compose.yml).
Responsible use. The scanning tools (
nmap_scan,port_scan,service_enumeration) and other active probes may be illegal without authorization. Only scan hosts and networks you own or have explicit permission to test. You are solely responsible for your use of these tools.
See SECURITY.md for the full threat model and the vulnerability disclosure process.
Contributing
Contributions are welcome — see CONTRIBUTING.md for dev setup, the test mocking strategy, and PR guidelines. By participating you agree to the Code of Conduct.
License
MIT — see LICENSE.
Hosted deployment
A hosted deployment is available on Fronteir AI.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/alpadalar/netops-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server