Convergence Radar

← Feed

C

PortWatch β€” Instant Alert When Your Self-Hosted DB Goes Public

53/100

A one-line-install agent that continuously diffs your server's internet-reachable ports against a baseline and alerts the second a database or admin port gets exposed β€” like the Debian 12.15 MariaDB regression that silently opened :::3306.

Interesting but not urgent. Β· created 2026-07-13 12:42 UTC

saasapiagentfast cashindustrialrevisit later

Scorecard

newness 6/10
convergence 5/10
demand evidence 4/10
existing spend 4/10
solo feasibility 9/10
speed to mvp 9/10
speed to revenue 7/10
distribution 6/10
competitive gap 5/10
expansion 5/10
founder fit 6/10

Penalty flags
no urgent pain tiny claims (βˆ’7 from raw 60)

Opportunity brief

What changed
FACT (HN item 48881512): a Debian 12.15 update reportedly migrated MariaDB to systemd socket activation, causing it to listen on all interfaces (:::3306) instead of the admin's configured 127.0.0.1 bind-address, silently exposing the DB. HYPOTHESIS: this pattern (a distro/package update overriding a hardening setting on reboot) recurs across packages and distros.
Why now
A widely-read HN thread just made 'did my last apt upgrade quietly expose my database?' a fresh, felt fear for the self-hosting crowd. The concurrent GhostLock disclosure (broadly-present Linux vuln) amplifies general security anxiety in the same audience this week. Timing gives a warm launch window measured in days, but the fear may fade (see kill args).
Converging signals
FACT: two signals β€” (1) the MariaDB silent-exposure PAIN thread, (2) GhostLock, a disclosed long-lived Linux vuln. INFERENCE: they converge on one buyer state β€” a solo operator on a VPS suddenly unsure what is reachable from the internet and lacking any change-detection alarm.
Customer pain
FACT (single PAIN thread, high similarity 0.75): an admin discovered post-upgrade that MariaDB was no longer on localhost. INFERENCE: the acute pain is not the scan (nmap/ss exist) but the ABSENCE of a continuous alarm that fires when a risky default silently changes. This is one strong anecdote, not a validated volume of paying demand β€” I am not inflating it.
Who pays
Solo devs, indie SaaS operators, small agencies running their own VPS without a security team. Discretionary buyers, pay by card, no procurement cycle. This is a quick-win/discretionary shape, NOT a forced-buyer mandate β€” scored on that rubric.
Solved today
Cloud security groups / provider firewalls (AWS SG, Hetzner/DO firewall), ufw/iptables, manual `ss -tlnp`/nmap checks, Shodan monitoring, and generic uptime/security monitors (UptimeRobot, Netdata, CrowdSec, Wazuh). Most self-hosters rely on 'I set the firewall once.'
Why current solutions are bad
A host firewall or cloud SG that is misconfigured, absent, or bypassed by a service binding to 0.0.0.0 gives no alert when state changes; many cheap VPS have no cloud SG at all. Manual checks are point-in-time. Heavyweight tools (Wazuh/CrowdSec) are overkill and hard to install for the '$12/mo, one-line install' buyer.
Proposed product
External scanner + optional lightweight agent. External scanner probes the server's public IP on a port list, establishes an expected baseline, and diffs on a schedule; the agent (one-line install) reports actual listening sockets so you catch a service bound to 0.0.0.0 even if a firewall currently masks it. Instant email/Slack/Discord/webhook alert when a DB/admin port (3306, 5432, 6379, 27017, 9200, 3389, etc.) becomes externally reachable or a new unexpected port opens. Weekly 'your exposure surface' digest.
MVP version
External-only scanner first (no agent): user adds an IP/host, product fingerprints open ports, user confirms baseline, cron re-scans every 5–15 min and alerts on new exposure of a risky port. Serverless scan worker + tiny Postgres/SQLite baseline + email/Slack out. Buildable in ~1–2 weeks solo on cheap infra.
30-day build
Ship external scanner MVP with first-server-free tier and $12/mo/server paid. Launch straight into the HN thread's audience: Show HN, r/selfhosted, r/homelab, r/devops, lobste.rs, plus a blog post 'Would you have known your DB was exposed? (the Debian 12.15 MariaDB bug)'. Instrument signups and free→paid.
60-day build
Add the one-line agent for internal listening-socket detection (catches 0.0.0.0 binds behind a firewall) and drift alerts (a hardened bind reverted after upgrade). Add Discord/webhook/PagerDuty outs and per-service baselines. Begin content SEO on 'monitor exposed database port' / 'alert when port opens'.
90-day revenue plan
Target a few hundred paid servers. At $12/mo/server, 200 paid servers β‰ˆ $2.4k MRR; agencies with 10+ servers are the margin drivers. Add a team/agency tier ($/server bulk) and a 'compliance snapshot' PDF export as an upsell. Revenue realistically starts within 30–60 days given card-paying discretionary buyers.
Distribution path
Launch on the exact communities feeling the pain (HN, r/selfhosted, r/homelab, r/devops, lobste.rs), SEO content on exposure/port-drift, and a free public 'scan my IP' tool as a lead magnet that converts to continuous monitoring. Demonstrated-value selling, which fits the founder.
Pricing hypothesis
$12/mo per server, first server free. Agency/bulk tier for 10+ servers. Free one-off public scan as top-of-funnel. Low ACV but high volume and fat software margin.
Technical difficulty
Low. Port scanning, fingerprinting, baseline diff, and alert fan-out are well-trodden. Main care items: scan politely (rate/consent, avoid being flagged as abuse), handle dynamic IPs, agent packaging/signing, avoid false positives on CDN/proxy IPs.
Legal / regulatory risk
Moderate-but-manageable: only scan IPs/hosts the user proves they control (verification token or agent handshake) to avoid unauthorized-scanning/CFAA-style exposure and cloud-provider abuse complaints. No licensure needed. pii_risk low β€” no claimant PII, just infra metadata.
Platform dependency
Low. Not submitting to any platform that can deplatform it. Some dependency on cloud egress for scanning and on email/Slack deliverability. Agent distribution via own install script, not an app store.
Founder fit
Good but not the founder's highest-fit shape. Strong on systems thinking, automation, fast AI-assisted prototyping, and demonstrated-value selling β€” all match. But it is NOT a public-money/forced-filer/government-portal play (his proven, maximal-fit edge). It's a discretionary micro-SaaS: solid, sellable, not the primary thesis.
Breakout potential
Moderate. Could expand from 'DB exposure' to a full lightweight 'config/exposure drift monitor for self-hosters' (open ports, expired TLS, default creds, world-readable admin panels, package-update regressions). Ceiling capped by low ACV and a crowded monitoring space; not a network-effect breakout.
Final recommendation
BUILD-SMALL / VALIDATE FAST. It's a cheap, days-to-weeks external-scanner MVP with a warm, reachable audience this week β€” worth a time-boxed launch to test willingness-to-pay. But treat it as a discretionary side-bet, not the founder's primary vein: no mandate, low ACV, thin moat, and a real churn risk once the scare fades. Do NOT over-invest the agent build until the free-scanner MVP proves paid conversion.
Next action
Ship a free public 'scan my server for exposed DB/admin ports' web tool in ~3–5 days, post it into the live HN MariaDB thread and r/selfhosted with the Debian 12.15 hook, and measure how many users verify ownership and opt into continuous $12/mo monitoring before building the agent.

Kill arguments (adversarial)

  • The stated KILL TEST is live: many target users assume their cloud security group / provider firewall already blocks this and won't add another agent or pay β€” and the acute fear may churn once the news cycle passes (no_urgent_pain risk after week 1).
  • Demand evidence is ONE HN thread (single anecdote), not a validated body of paying demand; the pain of 'no continuous alarm' is real but may be a nice-to-have for a $0-budget self-hoster who'll just re-run `ss` after upgrades.
  • Trivially adjacent to incumbents with distribution: UptimeRobot, Netdata, CrowdSec, Shodan Monitor, or a Cloudflare/host-provider feature could add 'alert on newly exposed port' as a checkbox; low technical moat.
  • Low ACV ($12/mo, first free) against real per-server scan/egress cost and support load means you need high volume to matter β€” margin is fat but absolute revenue per customer is thin.

Competitors

β€’ Shodan Monitor (link) β€” Monitors internet-exposed services for owned IP ranges and alerts on new open ports; more infosec-oriented and less turnkey for a $12/mo solo dev.
β€’ CrowdSec (link) β€” Open-source agent-based security engine for self-hosters; heavier and focused on intrusion, not simple exposure-drift alerting.
β€’ UptimeRobot / Netdata (link) β€” Popular self-hoster monitors that own distribution and could bolt on 'alert when a risky port opens' as a feature.

Source citations (facts)

β€’ [PAIN] Latest Debian 12 update opens MariaDB server to the internet β€” An admin reports that after upgrading to Debian 12.15 and rebooting, MariaDB stopped listening on 127.0.0.1:3306 and 'init' was listening on :::3306, silently exposing the DB β€” the core pain and 'why now'.
β€’ GhostLock, a stack-UAF present in all Linux distributions for 15 years β€” A broadly-present Linux vulnerability disclosure that amplifies security anxiety in the same self-hosting audience, supporting the 'why now' timing (secondary/atmospheric signal, not direct demand for this product).

Actions