GitHub ... Release ...

An ultra-lightweight Enterprise Default-Deny HIPS for Linux.

SysWarden (ver: v2.10) acts as a ruthless first line of defense. By fusing dynamic firewall orchestration (nftables/iptables), global Threat Intelligence, a reactive HIPS (optimized Fail2ban), and SIEM alert routing, SysWarden filters out Internet "background noise" and neutralizes threats at the network (L2/L3/L4) and application (L7) levels.

Install SysWarden Read Documentation

Enterprise-Grade Features

SysWarden does not simply append rules to standard chains; it fundamentally alters the Linux networking stack to neutralize threats before they consume system resources.

Layer 2 Acceleration

Malicious packets are dropped at the NIC ingress hook (eBPF/XDP alternative), entirely bypassing kernel routing for zero CPU overhead during DDoS attacks.

Default-Deny Cloaking

Hide your SSH port and administrative panels behind an invisible WireGuard VPN, dropping any unwhitelisted traffic silently (Catch-All).

Global Threat Intel

Block hostile countries (GeoIP), Cybercrime Hosters, and rogue Autonomous System Numbers (ASN) automatically at the hardware edge.

Dynamic L7 WAF

Behavioral defense protecting 55+ services (Docker, Nginx, Databases) against SQLi, LFI, and brute-force via heavily optimized Fail2ban jails, and seamless integration of standalone ModSecurity for deep HTTP traffic inspection.

ISO 27001 / NIS2

Smart SIEM forwarding: routes only high-value L7 behavioral bans to your SOC/SIEM (Wazuh), filtering out L3 noise to prevent index saturation.

The Fortress Dashboard (TUI & CLI)

SysWarden provides unified terminal-based observability, ensuring total situational awareness without the bloat of a complex database or exposing vulnerable web ports.

Fully integrated within the terminal to maintain a strict zero-trust attack surface.

Supported Environments

SysWarden is built to run flawlessly across modern Linux infrastructures:

Universal (systemd)

Debian 12+, Ubuntu 24.04+, RHEL 9+, Rocky Linux 9+, AlmaLinux 10+, Oracle Linux 10+, CentOS Stream 9+, Fedora 43+.

Deprecation Notice: Alpine Linux Support

Alpine Linux support is officially deprecated. SysWarden is evolving into a pure Enterprise HIPS standard. While Alpine remains a gold standard for ephemeral containers, the bare-metal servers and critical virtual machines that SysWarden is designed to protect rely predominantly on the systemd ecosystem (RHEL, Debian, Ubuntu). Unifying the architecture around systemd allows for much deeper security integrations and ensures reliability that meets production requirements.

Management & Auditing Tools

SysWarden comes with dedicated built-in utilities to maintain and verify your infrastructure's security lifecycle.

syswarden-manager.sh

The core administration utility. Use it to manually trigger threat-intel updates, manage your IP whitelists/blocklists, and check the firewall's operational status. 

./syswarden-manager.sh

syswarden-audit.sh

A comprehensive DevSecOps auditing tool designed to evaluate your server's security posture, analyze logs, and verify SysWarden's architectural integrity. 

./syswarden-audit.sh

Installation

1. Clone & Build 
git clone https://github.com/duggytuxy/syswarden.git
cd syswarden || exit
chmod +x build.sh
./build.sh
2. Execute Installer 
# Debian, Ubuntu, RHEL, AlmaLinux & Rocky Linux
cd dist/ || exit
./install-syswarden.sh
Package Install (.deb/.rpm) 
# Verify Integrity (Download pkg + .txt first)
sha256sum -c SHA256SUMS.txt --ignore-missing

# Debian/Ubuntu
apt-get install -y ./syswarden_<version>_all.deb
syswarden /opt/syswarden/syswarden-auto.conf

# RHEL/AlmaLinux/Rocky
dnf install -y ./syswarden-<version>-1.noarch.rpm
syswarden /opt/syswarden/syswarden-auto.conf
Enterprise Install (SLSA L3) 
# Verify supply chain integrity before execution
wget https://github.com/duggytuxy/syswarden/releases/latest/download/syswarden-release.tar.gz
gh attestation verify syswarden-release.tar.gz --owner duggytuxy
tar -xzf syswarden-release.tar.gz
chmod +x install-syswarden.sh
./install-syswarden.sh
Quick Uninstall 
# "Scorched Earth" rollback (Requires no reboot)
./install-syswarden.sh uninstall

Automated Deployments (CI/CD)

For large-scale infrastructures and Infrastructure as Code (IaC) environments, SysWarden supports true zero-touch, unattended installations via the syswarden-auto.conf file.

  • Pre-define your custom SSH ports, WireGuard subnets, API keys, and target blocklists without requiring any interactive prompts.
  • Seamlessly integrate SysWarden into your CI/CD pipelines, Ansible playbooks, Terraform modules, or cloud-init bootstrap scripts.
  • Simply edit the config template and execute the installer:
Execute with Config 
cp syswarden-auto.conf dist/
cd dist/ || exit
./install-syswarden.sh syswarden-auto.conf

Documentation

To learn everything about the SysWarden ecosystem, explore detailed configurations, and read advanced usage guides, please visit our dedicated documentation page.

Read Official Docs

Target and Support

> €5,000/year to fund continuous DevSecOps

Developing SysWarden and curating the zero-false-positive Data-Shield IPv4 Blocklists requires dedicated server infrastructure and non-stop threat monitoring.

Reaching this annual goal guarantees my 100% independence, funding a continuous development cycle without corporate constraints. Your support directly pays for the servers and keeps these enterprise-grade cybersecurity tools free, updated, and accessible to everyone.

Let's build a safer internet together!

Support on Ko-fi