SysWarden | Eliminating internet background noise at the kernel level

What Does SysWarden Protect

SysWarden acts as an advanced, preemptive shield for your infrastructure. By dropping known malicious traffic at the firewall (kernel) level before it even reaches your applications, it provides a crucial extra layer of security for any exposed asset.

Public VPS & Dedicated Servers

Protect your SSH ports, control panels, and core system services from relentless brute-force attacks and automated mass-scanning.

Websites & CMS

Block bad bots, vulnerability scanners, and exploit attempts targeting your web servers (Nginx/Apache) before they consume your CPU and RAM.

Public APIs & SaaS Platforms

Keep your application resources dedicated to legitimate users. Prevent endpoint abuse, scrapers, and Layer 7 DDoS probes.

Critical Infrastructure

Add a robust perimeter defense for your business-critical applications and internal tools exposed to the internet.

Databases

Shield your exposed data stores (MySQL, MongoDB, PostgreSQL) from credential stuffing, unauthorized access attempts, and ransomware gangs.

"By eliminating the 'background noise' of the internet, SysWarden ensures your servers remain fast, clean, and focused on serving real humans."

Key Features

Universal OS Support: Auto-detects and adapts to Debian, Ubuntu, RHEL, AlmaLinux, and Rocky Linux.
Intelligent Backend Detection: Automatically selects Firewalld, Nftables, or IPSet/Iptables.
Smart Mirror Selection: TCP/HTTP latency checks to bypass firewall restrictions ensuring the fastest mirror.
Kernel-Safe Optimization: High-performance memory hashing on Debian/Ubuntu, and conservative settings on RHEL to prevent crashes.
Persistence Guaranteed: Rules are written to disk, surviving reboots instantly.
Auto-Update: Installs a cron job to refresh the blocklist hourly.

Objectives

Noise Reduction: Drastically reduce the size of system logs by blocking scanners at the door.
Resource Saving: Save CPU cycles and bandwidth by dropping packets at the kernel level.
Proactive Security: Move from a "Reactive" stance (wait for 5 failed logins -> Ban) to a "Proactive" stance (Ban the IP because it attacked a server elsewhere 10 minutes ago).

Architecture & Workflow

SysWarden (Technology Stack)

├── 🐚 Core Orchestration
│   ├── 📜 Bash Scripting           # Automation, Installation & Logic
│   └── 🐧 Linux Kernel             # OS Support (Debian/Ubuntu & RHEL/Alma)
│
├── 🧱 Firewall Backend (Auto-Detection)
│   ├── 🛡️ Nftables                 # Modern Packet Filtering (Debian 10+)
│   ├── 🔥 Firewalld                # Dynamic Zone Management (RHEL 8/9)
│   └── ⚡ IPSet + Iptables         # High-Performance Hashing (Legacy)
│
├── 👮 Active Defense & Logs
│   ├── 🐍 Python 3                 # Log Parsing & API Connector
│   ├── 🚫 Fail2ban                 # Intrusion Prevention System (Jails)
│   ├── 📝 Systemd / Journalctl     # Service Management & Logging
│   └── ♻️ Logrotate                # Log Maintenance & Compression
│
└── ☁️ External Integrations
    ├── 📦 Data-Shield Repo         # Threat Intelligence Source (Git)
    ├── 📡 AbuseIPDB API            # Community Reporting (Outbound)
    └── 🦁 Wazuh XDR Agent          # SIEM & Vulnerability Detection

Network Traffic Flow

├── 🛡️ Layer 1: Firewall Shield (Static Defense)
│   ├── 🧱 Engine: Nftables / Firewalld / Ipset (Auto-detected)
│   ├── 📄 Blocklist: ~95k - 100k IPs (Data-Shield Source)
│   └── 🚫 Action: DROP packet before reaching services
│
└── 🖥️ Layer 2: User Space (Allowed Traffic)
    ├── 📁 Services & Logs
    │   ├── 🔓 SSH / Web / Database (Custom Ports Allowed)
    │   ├── 📝 System Logs: /var/log/syslog & journalctl
    │   └── ♻️ Maintenance: Logrotate (Daily cleanup, 7-day retention)
    │
    └── 📁 Layer 3: Active Response (Dynamic Defense)
        ├── 👮 Fail2ban Service
        │   ├── 🔍 Watch: Brute-force patterns (SSH, Nginx, etc.)
        │   └── ⚡ Action: Ban Dynamic IP locally
        │
        ├── 🐍 SysWarden Reporter
        │   ├── 🔍 Watch: Firewall Drops & Fail2ban Bans
        │   └── 📡 Action: Report to AbuseIPDB API
        │
        └── 🦁 Wazuh Agent
            ├── 🔍 Watch: File Integrity & System Events
            └── 📨 Action: Forward alerts to Wazuh SIEM

Technical Deep Dive: Integration Logic

Many admins worry that installing a massive blocklist might conflict with Fail2ban. SysWarden solves this via layering.

1. Nftables + Fail2ban (Debian/Ubuntu)

Data-Shield (Layer 1): Creates a high-performance Nftables set acting as a static shield.
Fail2ban (Layer 2): Continues to monitor logs for new attackers.
Result: Fail2ban uses less CPU because Data-Shield filters 99% of background noise before log parsing.

2. Firewalld + Fail2ban (RHEL/Alma)

Native Sets: Creates a permanent ipset within Firewalld.
Rich Rules: Drops traffic before it reaches zones.
Persistence: Configuration is written to `/etc/firewalld/`, ensuring protection survives reloads and reboots.

3. AbuseIPDB Reporting

During installation, you can opt-in to report triggered alerts to ABUSEIPDB. Simply provide your API key to automatically report malicious IPs and contribute to the community database.

4. Wazuh Agent Integration

Includes an interactive module to deploy the Wazuh XDR Agent. It automatically detects your OS, installs repos, injects Manager IP into ossec.conf, and creates auto-whitelisting rules.

Installation & Usage (Run as root)

For Ubuntu/Debian

apt update && apt upgrade -y
apt install wget -y

For Rocky/AlmaLinux/RHEL

dnf update -y
dnf install wget -y

Install Script

cd /usr/local/bin/
wget https://github.com/duggytuxy/syswarden/releases/download/v2.10/install-syswarden.sh
chmod +x install-syswarden.sh
./install-syswarden.sh

Check Kernel Logs

journalctl -k -f | grep "SysWarden-BLOCK"

Uninstallation

./install-syswarden.sh uninstall

Support & Sustainability

Developing and maintaining a high-fidelity, real-time blocklist requires significant infrastructure resources and dedicated time. If you find this project useful, consider supporting its ongoing development.

☕ Support on Ko-Fi