GitHub ... Release ...

Eliminating internet background noise at the kernel level.

SysWarden is an enterprise-grade firewall orchestrator. It dynamically integrates Data-Shield IPv4 Blocklists, GeoIP, Spamhaus ASN blocking, and Fail2ban to natively drop 98,2% of malicious traffic before it reaches your apps.

Install SysWarden Explore Architecture

About the Project

SysWarden is an enterprise-grade, open-source firewall orchestrator designed to eliminate 98,2% of noisy, disruptive, and malicious internet traffic. Built around the Data-Shield IPv4 Blocklists community, it dynamically integrates GeoIP filtering, Spamhaus ASN blocking, and Fail2ban intrusion prevention.

Engineered for modern infrastructure, SysWarden provides hermetic Docker protection, automated AbuseIPDB reporting, and deploys a stealth WireGuard management VPN—all operating natively within the Linux kernel to guarantee maximum security with near-zero RAM consumption.

What Does SysWarden Protect?

SysWarden acts as an advanced, preemptive orchestration layer for your infrastructure. By leveraging community-driven threat intelligence and dropping malicious traffic natively at the firewall level (Kernel-Space) before it ever reaches your applications, it provides a highly optimized, impenetrable shield for your exposed assets.

It is highly recommended for securing:

Public VPS & Bare Metal Servers

Defend your SSH ports, control panels, and core services against relentless brute-force campaigns and mass-scanning. SysWarden can even deploy a stealth WireGuard VPN to make your management interfaces completely invisible to the public internet.

Websites & CMS (WordPress, Nginx, Apache)

Instantly filter out bad bots, vulnerability scanners, and automated exploit attempts. By blocking threats at the network edge, your web servers preserve massive amounts of CPU and RAM for legitimate visitors.

Public APIs & SaaS Platforms

Protect your endpoints from aggressive data scrapers, automated abuse, and Layer 7 DDoS probes, ensuring your resources remain dedicated to real users and your SLAs stay intact.

Databases (MySQL, MongoDB, PostgreSQL)

Shield your data stores from credential stuffing, unauthorized access, and ransomware gangs using a formidable combination of massive static IP sets and dynamic Fail2ban intrusion prevention.

Dockerized & Critical Infrastructure

Automatically injects hermetic firewall rules directly into the DOCKER-USER chain, guaranteeing that your exposed containers are shielded from global threats without breaking internal routing.

By permanently silencing the internet's malicious "background noise", SysWarden ensures your infrastructure remains blazing fast, deeply secure, and focused entirely on serving real humans—while automatically reporting attackers back to the global community via AbuseIPDB.

Key Features

  • Strict SSH Cloaking (Zero Trust) Absolute policy enforcing SSH access exclusively via WireGuard (wg0) and Loopback.
  • Enterprise Nginx Dashboard Telemetry interface served via a hardened Nginx reverse proxy. Strictly enforces HTTPS with Zero Trust IP restrictions and advanced HTTP security headers.
  • Universal OS Support & Auto-Detection Seamlessly adapts to Debian, Ubuntu, CentOS, Fedora, AlmaLinux, Rocky Linux, and Alpine (OpenRC).
  • Intelligent Backend Routing Configures Nftables Flat Syntax, Firewalld Rich Rules, or IPSet depending on the host OS.

Objectives

  • Noise Reduction & Log Clarity Drastically reduce log fatigue and SIEM costs by dropping scanners at the network edge.
  • Resource Optimization Conserve CPU and RAM by dropping illegitimate packets natively in Kernel-Space.
  • Proactive Community Security Shift from Reactive to Proactive. Block IPs that attacked other servers minutes ago.

Architecture Workflow

Tech Stack 
SysWarden (DevSecOps Technology Stack)
├── Core Orchestration & Security
│   ├── Bash Scripting             # OS Hardening & Zero Trust Logic
│   ├── Linux OS & Kernel          # Broad Support (Debian, RHEL, Alpine)
│   └── awk & jq                   # Semantic Validation & JSON
│
├── Firewall & Networking Engine
│   ├── Nftables                   # Modern Packet Filtering (Atomic)
│   ├── IPSet + Iptables           # High-Performance Hashing (Fallback)
│   ├── Firewalld                  # Dynamic Zone Management (RHEL)
│   ├── Docker Integration         # Native DOCKER-USER Chain Isolation
│   └── WireGuard VPN              # Stealth Management Interface
│
├── Active Defense & Daemons
│   ├── Fail2ban                   # Dynamic IPS (Zero Trust Jails)
│   ├── Rsyslog                    # Kernel/Auth Log Isolation
│   ├── Nginx & OpenSSL            # Hardened TLS Dashboard
│   ├── Python 3 (Daemon)          # Asynchronous AbuseIPDB Reporting
│   ├── Systemd / OpenRC           # OS-Specific Privilege Management
│   └── Logrotate                  # Space Optimization
│
└── Threat Intelligence & Integrations
    ├── Data-Shield IPv4 Blocklist # Primary Intel Source
    ├── Spamhaus / RADB            # Dynamic ASN Validation
    ├── IPDeny                     # Geo-Blocking Data Sets
    ├── AbuseIPDB API              # Community Attack Reporting
    └── Wazuh XDR Agent            # SIEM & File Integrity Detection
Traffic Flow 
/ (Inbound Network Traffic Flow)
├── Layer 1: Kernel-Space Shield (Preemptive Static Defense)
│   ├── Orchestrator : Nftables / Firewalld / IPSet 
│   ├── Threat Intel : 100k+ Malicious IPs, Global GeoIP & ASN
│   ├── Validation   : Strict Semantic CIDR checking
│   ├── Edge Routing : Handled natively (incl. Docker)
│   └── Action       : DROP packets silently
│
└── Layer 2: User-Space Applications (Permitted Traffic)
    ├── Exposed Services & Proxies
    │   ├── Custom Ports (SSH, Web, Database, APIs)
    │   ├── WireGuard    (Stealth Interface & VPN)
    │   └── Log Routing  : Rsyslog isolated streams
    │
    └── Layer 3: Active Response (Dynamic & Behavioral)
        ├── Fail2ban Engine (Zero Trust)
        │   ├── Monitor : Isolated Rsyslog files
        │   └── Action  : Inject dynamic bans into backend
        │
        ├── SysWarden Python Daemon
        │   ├── Monitor : Real-time Firewall drops & F2B
        │   └── Action  : Report telemetry to AbuseIPDB API
        │
        └── Wazuh XDR Agent (Optional)
            ├── Monitor : FIM & Critical System Events
            └── Action  : Stream telemetry to Wazuh SIEM

1. Nftables + Fail2ban Synergy

SysWarden leverages modern Nftables Flat Syntax to inject massive sets (100k+ IPs). This static shield drops threats at Kernel level, reducing Fail2ban's CPU load to near-zero as it only processes logs for traffic that bypassed the blocklist.

2. Firewalld Orchestration (RHEL)

Programmatically defines permanent `ipset` types within Firewalld's native XML framework. Deploys high-priority Rich Rules committed directly to `/etc/firewalld/` for absolute persistence.

3. AbuseIPDB Reporting

An asynchronous Python daemon actively parses firewall drops and Fail2ban jails, securely reporting confirmed attackers back to the global AbuseIPDB platform to protect the community.

4. Wazuh XDR Integration

Fully automated deployment pipeline for the Wazuh Agent. Automatically injects Manager IP into `ossec.conf` and creates auto-whitelisting rules to ensure SIEM continuity.

Installation & Usage

1. System Preparation 
# Ubuntu / Debian
apt update && apt install wget -y

# RHEL / AlmaLinux / Fedora
dnf update && dnf install wget -y

# Alpine Linux
apk update && apk add wget bash
2. Download & Execution 
cd /usr/local/bin/
wget https://github.com/duggytuxy/syswarden/releases/download/v1.72/install-syswarden.sh
chmod +x install-syswarden.sh
./install-syswarden.sh

# Note: Use install-syswarden-alpine.sh for Alpine
Unattended Installation (CI/CD)

Create syswarden-auto.conf and pass it:
./install-syswarden.sh syswarden-auto.conf

SYSWARDEN_ENTERPRISE_MODE="n"
SYSWARDEN_SSH_PORT=""
SYSWARDEN_ENABLE_WG="n"
SYSWARDEN_WG_PORT="51820"
SYSWARDEN_WG_SUBNET="10.66.66.0/24"
SYSWARDEN_USE_DOCKER="n"
SYSWARDEN_HARDENING="n"
SYSWARDEN_LIST_CHOICE="1"
SYSWARDEN_CUSTOM_URL=""
SYSWARDEN_ENABLE_GEO="n"
SYSWARDEN_GEO_CODES="ru cn kp ir"
SYSWARDEN_ENABLE_ASN="y"
SYSWARDEN_ASN_LIST="AS60068 AS30823 AS210644 AS200593..."
SYSWARDEN_USE_SPAMHAUS="y"
SYSWARDEN_ENABLE_ABUSE="n"
SYSWARDEN_ABUSE_API_KEY=""
SYSWARDEN_REPORT_F2B="y"
SYSWARDEN_REPORT_FW="y"
SYSWARDEN_ENABLE_WAZUH="n"
SYSWARDEN_WAZUH_IP=""
SYSWARDEN_WAZUH_NAME=""
SYSWARDEN_WAZUH_GROUP="default"
SYSWARDEN_WAZUH_COMM_PORT="1514"
SYSWARDEN_WAZUH_ENROLL_PORT="1515"

CLI Orchestration Commands (install-syswarden.sh)

update

Force immediate refresh of blocklists natively to the kernel.

alerts

Launch Live Attack Dashboard in the terminal.

whitelist <IP>

Add a trusted IP to bypass all overarching blocklists.

blocklist <IP>

Permanently ban a specific IP address.

protect-docker

Inject hermetic rules into DOCKER-USER chain.

fail2ban-jails

Dynamically discover active services and reload Fail2ban jails without disruption.

wireguard-client

Generate a new WG client profile and QR code.

Day-2 Operations (syswarden-manager.sh)

A surgical administration tool to manage IPs in real-time across your persistent files, the Kernel Firewall, and Fail2ban jails without triggering heavy recompilations.

check <IP>

XDR diagnostic across Files, RAM, and jails.

unblock <IP>

Surgically purges IP from blocklist globally.

block <IP>

Hot-adds an IP to the active kernel drop set.

whitelist <IP>

Injects a top-priority ACCEPT rule.

allow-ssh <IP>

Allows direct SSH access (bypasses WG).

revoke-ssh <IP>

Revokes direct SSH access, enforcing VPN.

list

Displays a clean overview of IP registries.

reload

Safely triggers full background sync.

Continuous Compliance & Security Audit (syswarden-audit.sh)

A standalone Purple Team compliance script designed to verify that all DevSecOps security locks remain active and untampered post-installation.

OS Hardening & Log Routing

Validates crontab lockdowns, immutable flags on user profiles, and ensures isolated Netfilter/Auth logs have strict 0600 permissions.

Kernel Shield & Threat Intel

Verifies firewall prioritization and features context-aware configuration parsing to accurately validate GeoIP, ASN, and Spamhaus defenses.

Zero Trust Remote Access

Independently validates the strict Global SSH Drop (Priority Guillotine), WireGuard gateway readiness, and natively authenticates Day-2 bypasses.

Deterministic Scoring Engine

Utilizes flattened kernel-state buffer parsing to eliminate multi-line tearing, ensuring 100% deterministic, flake-free execution.

./syswarden-audit.sh

Release Notes v1.73

Alpine Zero-Trust Architecture & Advanced Audit Engine

Overview

SysWarden v1.73 delivers a critical Zero-Trust security patch for Alpine Linux environments and introduces a massive overhaul to the DevSecOps Purple Team Audit engine (syswarden-audit.sh). This release guarantees absolute idempotency, prevents false-positive pipeline crashes, and securely locks down the Alpine native firewall state.

Core Engine Fixes

Alpine Native Firewall

The Catch-All Guillotine: Resolved a critical architectural gap where the native OS bypass chain (syswarden-os-bypass.nft) lacked a strict hook anchor and a default policy drop directive. The Alpine firewall now correctly enforces an absolute DROP policy at Priority 0. Any traffic surviving Fail2ban and SysWarden blocklists is now silently destroyed.

Kernel Survival Integration: Implemented essential state-tracking rules (Loopback, ICMP, Conntrack Established/Related) at the top of the native chain to prevent host lockout while enforcing the new strict drop policy.

WireGuard Forwarding Integrity: Enforced a strict DROP policy on the native forward chain, explicitly allowing only wg0 traffic to prevent unauthorized public routing.

Purple Team Audit Overhaul

Pipeline Stabilization & Compatibility

SIGPIPE & POSIX Compliance: Completely neutralized pipeline crashes in strict set -euo pipefail environments. Replaced vulnerable conditional pipelines with robust { grep || true; } syntax. This prevents catastrophic syntax errors ([[: 0\n0) when evaluating empty kernel query results.

Cron Symlink Resolution: Refactored the Cron orchestration audit to properly resolve symbolic links via realpath. This prevents false-positive duplication alerts on Alpine Linux (where /etc/crontabs/root acts as a symlink to /var/spool/cron/crontabs/root).

Context-Aware Catch-All Detection: The audit script now intelligently differentiates between Debian's explicit input_backend chain and Alpine's native OS policy drop architecture when evaluating the Zero-Trust network edge.

Advanced Threat & State Detection

Ghost Rules Audit (Phase 8): Introduced a completely new audit phase. The script now queries kernel memory directly to mathematically count occurrences of critical rules (e.g., Dashboard Port 9999, VPN Port 51820). This provides absolute mathematical proof of idempotency by detecting uncontrolled rule stacking (Ghost Rules) across Nftables and Iptables.

Telemetry Deep-Scan: Replaced instant telemetry daemon checks with a 60-second active observation loop. This forces the audit to overlap with an actual background cron cycle, definitively proving process idempotency and ensuring zero CPU leakage.

Global Audit Pacing: Implemented a global 2-second execution pacing mechanism (sleep 2) across all standard audit phases. This creates a methodical, readable output flow for administrators and prevents monitoring-induced CPU spikes.

Upgrade Instructions

To apply the Alpine Zero-Trust patch and deploy the new audit engine, execute the standard update routine:

./install-syswarden.sh update 
# For standard environments (Ubuntu/Debian/RHEL)
./install-syswarden.sh update

# For Alpine Linux environments
./install-syswarden-alpine.sh update