{"id":46211118,"url":"https://github.com/defensia/agent","last_synced_at":"2026-04-13T13:03:11.113Z","repository":{"id":343805982,"uuid":"1177991212","full_name":"defensia/agent","owner":"defensia","description":"Lightweight security agent for Linux servers — SSH brute force, WAF, bot detection, Docker/Kubernetes native. Deploy via curl, Docker, Helm.","archived":false,"fork":false,"pushed_at":"2026-04-04T09:49:31.000Z","size":9493,"stargazers_count":1,"open_issues_count":6,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-04T11:40:02.975Z","etag":null,"topics":["bot-detection","brute-force","container-security","daemonset","docker","firewall","go","helm","helm-chart","intrusion-detection","kubernetes","linux","linux-security","owasp","security","server-security","ssh","waf"],"latest_commit_sha":null,"homepage":"https://defensia.cloud","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/defensia.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-10T15:21:16.000Z","updated_at":"2026-04-04T09:49:17.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/defensia/agent","commit_stats":null,"previous_names":["defensia/agent"],"tags_count":137,"template":false,"template_full_name":null,"purl":"pkg:github/defensia/agent","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defensia%2Fagent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defensia%2Fagent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defensia%2Fagent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defensia%2Fagent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/defensia","download_url":"https://codeload.github.com/defensia/agent/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/defensia%2Fagent/sbom","scorecard":{"id":1245486,"data":{"date":"2026-04-02T21:21:21Z","repo":{"name":"github.com/defensia/agent","commit":"34c8a24e955e124898c64e3f3bc9a68ec2c7001f"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":6.2,"checks":[{"name":"Binary-Artifacts","score":9,"reason":"binaries present in source code","details":["Warn: binary detected: defensia-agent-linux-arm64:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":-1,"reason":"no pull request found","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: defensia contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:153"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:164: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:171: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:174: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:177: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:184: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:192: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:213: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:220: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:241: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:255: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/scorecard.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/defensia/agent/scorecard.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: containerImage not pinned by hash: Dockerfile:20: pin your Docker image by updating alpine:3.20 to alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805","Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  10 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":8,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: signed release artifact: checksums.txt.sig: https://api.github.com/repos/defensia/agent/releases/assets/387283699","Info: signed release artifact: checksums.txt.sig: https://api.github.com/repos/defensia/agent/releases/assets/387276721","Info: signed release artifact: checksums.txt.sig: https://api.github.com/repos/defensia/agent/releases/assets/387265474","Info: signed release artifact: checksums.txt.sig: https://api.github.com/repos/defensia/agent/releases/assets/387258070","Info: signed release artifact: checksums.txt.sig: https://api.github.com/repos/defensia/agent/releases/assets/387255266","Warn: release artifact v1.1.2 does not have provenance: https://api.github.com/repos/defensia/agent/releases/304855235","Warn: release artifact v1.1.1 does not have provenance: https://api.github.com/repos/defensia/agent/releases/304851124","Warn: release artifact v1.1.0 does not have provenance: https://api.github.com/repos/defensia/agent/releases/304844332","Warn: release artifact v1.0.8 does not have provenance: https://api.github.com/repos/defensia/agent/releases/304839700","Warn: release artifact v1.0.7 does not have provenance: https://api.github.com/repos/defensia/agent/releases/304837349"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:15","Info: topLevel permissions set to 'read-all': .github/workflows/release.yml:8","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:9"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-04-03T00:13:51.927Z","repository_id":343805982,"created_at":"2026-04-03T00:13:51.927Z","updated_at":"2026-04-03T00:13:51.927Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31575757,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-08T14:31:17.711Z","status":"ssl_error","status_checked_at":"2026-04-08T14:31:17.202Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bot-detection","brute-force","container-security","daemonset","docker","firewall","go","helm","helm-chart","intrusion-detection","kubernetes","linux","linux-security","owasp","security","server-security","ssh","waf"],"created_at":"2026-03-03T09:09:31.134Z","updated_at":"2026-04-13T13:03:11.103Z","avatar_url":"https://github.com/defensia.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://defensia.cloud/img/logo.svg\" alt=\"Defensia\" width=\"200\"\u003e\n\u003c/p\u003e\n\n\u003ch3 align=\"center\"\u003eServer security that installs in 30 seconds\u003c/h3\u003e\n\n\u003cp align=\"center\"\u003e\n  Lightweight Go agent that detects attacks in real time and blocks them automatically.\u003cbr\u003e\n  SSH brute force, WAF, bot management, Docker and Kubernetes — zero configuration.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/defensia/agent/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/defensia/agent?label=version\u0026color=brightgreen\" alt=\"Version\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-blue.svg\" alt=\"License: MIT\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://go.dev\"\u003e\u003cimg src=\"https://img.shields.io/badge/Go-1.26+-00ADD8?logo=go\u0026logoColor=white\" alt=\"Go\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/defensia/agent\"\u003e\u003cimg src=\"https://img.shields.io/badge/Platform-Linux-orange?logo=linux\u0026logoColor=white\" alt=\"Platform\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/defensia/agent/pkgs/container/agent\"\u003e\u003cimg src=\"https://img.shields.io/badge/Docker-ghcr.io-2496ED?logo=docker\u0026logoColor=white\" alt=\"Docker\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://artifacthub.io/packages/helm/defensia/defensia-agent\"\u003e\u003cimg src=\"https://img.shields.io/badge/Helm-Artifact_Hub-0F1689?logo=helm\u0026logoColor=white\" alt=\"Helm\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://securityscorecards.dev/viewer/?uri=github.com/defensia/agent\"\u003e\u003cimg src=\"https://api.securityscorecards.dev/projects/github.com/defensia/agent/badge\" alt=\"OpenSSF Scorecard\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://defensia.cloud\"\u003eWebsite\u003c/a\u003e ·\n  \u003ca href=\"https://defensia.cloud/docs\"\u003eDocs\u003c/a\u003e ·\n  \u003ca href=\"https://defensia.cloud/docs/installation\"\u003eInstall Guide\u003c/a\u003e ·\n  \u003ca href=\"https://defensia.cloud/pricing\"\u003ePricing\u003c/a\u003e ·\n  \u003ca href=\"https://github.com/defensia/agent/issues\"\u003eIssues\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## The problem\n\nThe average Linux VPS receives its first automated attack **within 4 minutes** of going online. SSH brute force, web exploits, bot scraping, port scans.\n\nMost developers find out when it's already too late — or never.\n\n**fail2ban** blocks after the fact, with no visibility. **CrowdSec** requires complex setup. Enterprise tools cost $20-200+/host.\n\nDefensia fills the gap: **one command to install, real-time dashboard, automatic blocking, €9/server**.\n\n## Quick start\n\n```bash\n# Linux (one-liner)\ncurl -fsSL https://defensia.cloud/install.sh | sudo bash -s -- --token \u003cYOUR_TOKEN\u003e\n\n# Docker\ndocker run -d --name defensia-agent --restart unless-stopped \\\n  --network host --pid host \\\n  -v /var/log:/var/log:ro \\\n  -v /var/run/docker.sock:/var/run/docker.sock:ro \\\n  -e DEFENSIA_TOKEN=\u003cYOUR_TOKEN\u003e \\\n  ghcr.io/defensia/agent:latest\n\n# Kubernetes (Helm)\nhelm install defensia-agent \\\n  oci://ghcr.io/defensia/charts/defensia-agent \\\n  --set config.organizationApiKey=\u003cYOUR_API_KEY\u003e \\\n  --namespace defensia-system --create-namespace\n```\n\n\u003e **[Get your token at defensia.cloud](https://defensia.cloud)** — free tier includes 1 server with full protection.\n\n---\n\n## Why Defensia\n\n| | fail2ban | CrowdSec | BitNinja | **Defensia** |\n|---|:---:|:---:|:---:|:---:|\n| Real-time dashboard | — | Paid ($2K+/yr) | Yes | **Yes** |\n| One-command install | — | — | cPanel only | **Yes** |\n| SSH detection | Yes | Yes | Yes | **Yes (15 patterns)** |\n| Web Application Firewall | — | Partial | Yes | **Yes (15 OWASP types)** |\n| Bot management | — | — | Yes | **Yes (70+ fingerprints)** |\n| Docker container awareness | — | — | — | **Yes** |\n| Kubernetes / Helm | — | Yes | — | **Yes (DaemonSet)** |\n| Monitor mode (detect only) | — | — | — | **Yes** |\n| Works on any Linux | Yes | Yes | cPanel/Plesk | **Yes** |\n| Price | Free | Free / $2K+ | €14-52/srv | **€9/srv** |\n\n---\n\n## What it detects\n\n### SSH \u0026 brute force\n15 detection patterns: failed passwords, invalid users, PAM failures, pre-auth scanning, protocol mismatches, kex negotiation drops. Patterns are synced from the dashboard — enable/disable per server without restarting the agent.\n\n### Web Application Firewall\n\n| Attack type | Score | Mode |\n|---|:---:|---|\n| RCE / Web shell / Shellshock | +50 | Score-based |\n| Scanner UA (sqlmap, nikto, nmap, nuclei...) | +50 | Score-based |\n| SQL injection / SSRF / Web exploit | +40 | Score-based |\n| Honeypot trap (50+ decoy endpoints) | +40 | Score-based |\n| Path traversal / Header injection | +30 | Score-based |\n| WordPress brute force | +30 | Threshold (10 req / 2 min) |\n| XSS / `.env` probe / XMLRPC | +25 | Score-based |\n| Config probing / Scanner pattern | +20 | Score-based |\n| 404 flood | +15 | Threshold (30 req / 5 min) |\n\nEach detection adds points to a per-IP score. Scores decay at -5 pts/min. Action levels: **observe** (30) → **throttle** (60) → **block 1h** (80) → **blacklist 24h** (100+). All weights configurable per server.\n\n### Bot management\n70+ bot fingerprints (search engines, AI crawlers, SEO tools, scanners). Per-org policies: **allow** / **log** / **block**. Blocked bots are rejected at nginx/Apache level — connection closed before your app is reached.\n\n### Malware scanner\n- **Signature scanning** — 24 built-in patterns for webshells, backdoors, crypto miners, phishing kits\n- **Hash matching** — 64,000+ known malware hashes from MalwareBazaar and Linux Malware Detect\n- **YARA engine** — 229 web-relevant rules (uses yara CLI if installed, optional)\n- **Framework detection** — auto-detects Laravel, WordPress, Django, Symfony, CakePHP, CodeIgniter, Node/Express, Rails, Joomla, Drupal\n- **Framework security checks** — .env exposure, DEBUG mode, APP_KEY, loose permissions, Telescope, wp-config\n- **Heuristic analysis** — Shannon entropy detection, timestamp anomalies in upload directories\n- **System integrity** — `dpkg -V` / `rpm -Va` for modified binaries, rootkit indicators (ld.so.preload, hidden processes, /tmp executables)\n- **Credential scan** — exposed .env files, SSH key permissions, .git in web root, cloud provider credentials\n- **WP database scan** — injected scripts in posts/options, rogue admin users\n- **Process detection** — running crypto miners, reverse shells, suspicious scripts from /tmp\n- **Security posture score** — 0-100 (A-F grade) with breakdown by category\n- **Quarantine** — move malicious files to `/var/lib/defensia/quarantine/` with restore capability\n- **Scheduled scans** — configurable frequency, time, and intensity from the dashboard\n- **Realtime watcher** — polls upload directories every 30s for new PHP files\n- **False positive prevention** — WP core checksums, context-based severity, user allowlist with cross-network herd immunity\n\n### ModSecurity inline WAF\n- **Auto-detects** Apache + mod_security2 at startup (standard on cPanel/WHM)\n- **14 static rules** — SQL injection, XSS, RCE, SSRF, path traversal, Shellshock, Log4Shell, Spring4Shell, scanner blocking\n- **Blocks on first request** — ModSecurity intercepts before traffic reaches your application\n- **IP ban rules** — banned IPs synced from dashboard to ModSecurity for HTTP-level blocking\n- **Zero config** — automatically writes rules, configures Include, graceful reload (no downtime)\n- **No impact** on servers without ModSecurity — falls back to iptables-only blocking\n\n### And more\n- **Mail \u0026 FTP protection** — Postfix, Dovecot, Pure-FTPD, MySQL brute force detection\n- **Docker-aware** — auto-detects web containers, reads logs via bind mounts and volumes\n- **GeoIP blocking** — block entire countries from the dashboard\n- **Network ban propagation** — ban on one server applies to all your servers\n- **Security scanner** — 30+ hardening checks with auto-remediation\n- **Vulnerability scanning** — CVE matching via NVD + Exploit-DB, EPSS scoring\n- **Monitor mode** — detect threats without blocking (new servers default to this)\n- **System metrics** — CPU, memory, disk reported to dashboard\n- **cPanel/WHM addon** — native sidebar integration with cPHulk and domlog auto-detection\n\n---\n\n## How it works\n\n```\nauth.log / web access logs / Docker logs / K8s ingress logs\n    │\n    ▼\nLog auto-detection\n    │  nginx -T / apachectl -S / docker inspect / K8s API\n    │  Resolves bind mounts, volumes, symlinks\n    ▼\nWatcher goroutines\n    │  Detect brute force, SQLi, XSS, SSRF, path traversal, web shells...\n    ▼\nBot Scoring Engine (per-IP, decaying)\n    │\n    ├─ \u003c 30 pts  → observe (log only)\n    ├─ ≥ 30 pts  → throttle\n    ├─ ≥ 80 pts  → block 1h\n    └─ ≥ 100 pts → blacklist 24h\n            │\n            ▼\n    ipset add defensia-bans \u003cIP\u003e\n            │  Falls back to iptables -I INPUT -s \u003cIP\u003e -j DROP\n            │  ipset: 65K+ IPs  ·  iptables fallback: 500 (FIFO rotation)\n            │\n            ├──► POST /api/v1/agent/bans → dashboard\n            └──► WebSocket propagates ban to all your servers\n```\n\nThe agent **never bans** reserved IPs, your server's own IPs, or the Defensia API endpoint — even if the backend sends a bad rule.\n\n---\n\n## Install\n\n### Linux (recommended)\n\n```bash\ncurl -fsSL https://defensia.cloud/install.sh | sudo bash -s -- --token \u003cYOUR_TOKEN\u003e\n```\n\n**Supported:** Ubuntu 20+, Debian 11+, CentOS 7+, RHEL 8+, Rocky, Alma, Amazon Linux 2023, Fedora\n**Requires:** `iptables`, `systemd`, root access · **Recommended:** `ipset` (increases ban capacity to 65K+)\n\n### Docker\n\n```bash\ndocker run -d --name defensia-agent --restart unless-stopped \\\n  --network host --pid host \\\n  -v /var/log:/var/log:ro \\\n  -v /var/run/docker.sock:/var/run/docker.sock:ro \\\n  -v defensia-config:/etc/defensia \\\n  -e DEFENSIA_TOKEN=\u003cYOUR_TOKEN\u003e \\\n  ghcr.io/defensia/agent:latest\n```\n\n**Image:** `ghcr.io/defensia/agent` — multi-arch (amd64 + arm64), ~40MB\n\n\u003cdetails\u003e\n\u003csummary\u003eDocker Compose\u003c/summary\u003e\n\n```yaml\nservices:\n  defensia-agent:\n    image: ghcr.io/defensia/agent:latest\n    container_name: defensia-agent\n    restart: unless-stopped\n    privileged: true\n    network_mode: host\n    pid: host\n    environment:\n      - DEFENSIA_TOKEN=${DEFENSIA_TOKEN}\n    volumes:\n      - /var/log:/var/log:ro\n      - /var/run/docker.sock:/var/run/docker.sock:ro\n      - defensia-config:/etc/defensia\n\nvolumes:\n  defensia-config:\n```\n\n```bash\nDEFENSIA_TOKEN=\u003cYOUR_TOKEN\u003e docker compose up -d defensia-agent\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eDocker Swarm (global service)\u003c/summary\u003e\n\n```bash\n# Store token as a Docker secret\necho \"\u003cYOUR_TOKEN\u003e\" | docker secret create defensia_token -\n\n# Deploy 1 agent per node\ndocker stack deploy -c docker-compose.swarm.yml defensia\n```\n\nSee [docker-compose.swarm.yml](docker-compose.swarm.yml) for the full stack definition.\n\n\u003c/details\u003e\n\n### Kubernetes (Helm)\n\n```bash\nhelm install defensia-agent \\\n  oci://ghcr.io/defensia/charts/defensia-agent \\\n  --set config.organizationApiKey=\u003cYOUR_API_KEY\u003e \\\n  --set config.serverUrl=https://defensia.cloud \\\n  --namespace defensia-system --create-namespace\n```\n\nDeploys a **DaemonSet** — one agent per node (including control-plane). RBAC, tolerations, and resource limits pre-configured.\n\n\u003cdetails\u003e\n\u003csummary\u003eCustom values.yaml\u003c/summary\u003e\n\n```yaml\nconfig:\n  organizationApiKey: \"your-org-api-key\"\n  serverUrl: \"https://defensia.cloud\"\n  clusterName: \"production\"    # auto-detected if omitted\n\nresources:\n  limits:\n    cpu: 100m\n    memory: 128Mi\n  requests:\n    cpu: 50m\n    memory: 64Mi\n\ntolerations:\n  - operator: Exists           # run on all nodes\n```\n\n```bash\nhelm install defensia-agent \\\n  oci://ghcr.io/defensia/charts/defensia-agent \\\n  -f values.yaml -n defensia-system --create-namespace\n```\n\n\u003c/details\u003e\n\n**Chart:** [Artifact Hub](https://artifacthub.io/packages/helm/defensia/defensia-agent) · Images signed with [Cosign](https://github.com/sigstore/cosign) · Helm chart with GPG provenance\n\n### Uninstall\n\n```bash\ncurl -fsSL https://defensia.cloud/install.sh | sudo bash -s -- --uninstall\n```\n\n---\n\n## Configuration\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003ePer-server WAF configuration\u003c/strong\u003e\u003c/summary\u003e\n\nEach attack type can be independently configured from the dashboard (Server → Web Protection). Changes sync within 60 seconds.\n\n- **Enable/disable types** — disable rules irrelevant to your stack (e.g. `wp_bruteforce` on a non-WordPress server)\n- **Detect-only mode** — record events without banning\n- **Custom thresholds** — override defaults for `wp_bruteforce`, `xmlrpc_abuse`, `scanner_detected`, `404_flood`\n- **Custom score weights** — adjust points per detection type\n\n`null` WAF config → all 15 types active with default thresholds (fully backward compatible).\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDocker labels\u003c/strong\u003e\u003c/summary\u003e\n\nConfigure monitoring per container via Docker labels — no agent restart needed:\n\n```yaml\nservices:\n  nginx:\n    image: nginx\n    labels:\n      defensia.monitor: \"true\"\n      defensia.log-path: \"/var/log/nginx/access.log\"\n      defensia.domain: \"example.com,api.example.com\"\n    volumes:\n      - /var/log/nginx:/var/log/nginx\n```\n\n| Label | Values | Effect |\n|---|---|---|\n| `defensia.monitor` | `true` / `false` | Force-include or exclude a container |\n| `defensia.log-path` | Host path(s), comma-separated | Explicit log path (skips auto-detection) |\n| `defensia.domain` | Domain(s), comma-separated | Associate domain names with logs |\n| `defensia.waf` | `true` / `false` | Informational (WAF is controlled from the panel) |\n\n**Priority**: `defensia.log-path` label \u003e `nginx -T` auto-detection \u003e bind-mount scan \u003e `docker logs`.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eManual log path override\u003c/strong\u003e\u003c/summary\u003e\n\nIf auto-detection doesn't find your logs, set `WEB_LOG_PATH`:\n\n```bash\nsudo systemctl edit defensia-agent\n```\n\n```ini\n[Service]\nEnvironment=\"WEB_LOG_PATH=/var/log/httpd/access_log,/var/log/nginx/custom.log\"\n```\n\n```bash\nsudo systemctl restart defensia-agent\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eEnvironment variables\u003c/strong\u003e\u003c/summary\u003e\n\nStored in `/etc/defensia/agent.conf`:\n\n| Variable | Description | Default |\n|---|---|---|\n| `DEFENSIA_TOKEN` | Agent auth token | *(from registration)* |\n| `DEFENSIA_SERVER` | Panel server URL | `https://defensia.cloud` |\n| `DEFENSIA_LOG_PATH` | Auth log file path | *(auto-detected)* |\n| `DEFENSIA_HEARTBEAT` | Heartbeat interval (seconds) | `30` |\n| `DEFENSIA_BAN_THRESHOLD` | Failed attempts before ban | `5` |\n| `DEFENSIA_WS_ENABLED` | Enable WebSocket | `true` |\n| `DEFENSIA_GEOIP_ENABLED` | Enable GeoIP lookups | `true` |\n| `WEB_LOG_PATH` | Override web log paths | *(auto-detected)* |\n\n\u003c/details\u003e\n\n---\n\n## Troubleshooting\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003ccode\u003e\"Peer's Certificate issuer is not recognized\"\u003c/code\u003e during install\u003c/summary\u003e\n\nAffects CentOS 7, RHEL 7, and systems with outdated `ca-certificates`:\n\n```bash\ncurl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /tmp/isrg.pem\nexport CURL_CA_BUNDLE=/tmp/isrg.pem\ncurl -fsSL https://defensia.cloud/install.sh | sudo bash -s -- --token \u003cYOUR_TOKEN\u003e\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eAgent shows \u003ccode\u003e203/EXEC\u003c/code\u003e — service fails to start\u003c/summary\u003e\n\nBinary missing or corrupted. Restore from backup:\n\n```bash\ncp /usr/local/bin/defensia-agent.bak /usr/local/bin/defensia-agent\nchmod 755 /usr/local/bin/defensia-agent\nsystemctl reset-failed defensia-agent \u0026\u0026 systemctl start defensia-agent\n```\n\nIf `start-limit-hit`:\n\n```bash\nsystemctl reset-failed defensia-agent\nsystemctl start defensia-agent\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eWAF not detecting attacks\u003c/summary\u003e\n\nCheck which logs the agent is monitoring:\n\n```bash\njournalctl -u defensia-agent | grep webwatcher\n```\n\nIf no logs found: your web server logs must be accessible on the host. For Docker web servers, bind-mount the log directory:\n\n```yaml\nvolumes:\n  - /var/log/nginx:/var/log/nginx\n```\n\n\u003c/details\u003e\n\nMore troubleshooting at [defensia.cloud/docs/troubleshooting](https://defensia.cloud/docs/troubleshooting).\n\n---\n\n## Architecture\n\n```\n┌─────────────────────────────────────────────────────────┐\n│                    Defensia Cloud                        │\n│  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌────────┐  │\n│  │ Dashboard │  │ REST API │  │ WebSocket│  │ Threat │  │\n│  │  (Vue 3) │  │ (Laravel)│  │ (Reverb) │  │  Intel │  │\n│  └──────────┘  └──────────┘  └──────────┘  └────────┘  │\n└───────────────────────┬─────────────────────────────────┘\n                        │ HTTPS + WSS\n        ┌───────────────┼───────────────┐\n        ▼               ▼               ▼\n   ┌─────────┐    ┌─────────┐    ┌─────────────┐\n   │  Agent  │    │  Agent  │    │ Agent (K8s) │\n   │  (VPS)  │    │(Docker) │    │ (DaemonSet) │\n   └─────────┘    └─────────┘    └─────────────┘\n   SSH + WAF      SSH + WAF +     Ingress WAF +\n   + GeoIP        Docker detect   Pod events +\n   + Metrics      + Container     API audit\n                  inventory\n```\n\nThe agent is a single static Go binary (~12MB). No dependencies, no runtime, no garbage. Runs as `systemd` service, Docker container, or Kubernetes DaemonSet.\n\n**Resource usage:** \u003c1% CPU, \u003c30MB RAM on a typical server.\n\n---\n\n## Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md) for the full version history.\n\nRecent highlights:\n\n| Version | Highlight |\n|---|---|\n| v0.9.80+ | Kubernetes DaemonSet support, Helm chart, ingress WAF |\n| v0.9.63 | Docker Swarm global service, Docker secrets |\n| v0.9.62 | Docker labels (`defensia.monitor`, `defensia.log-path`, `defensia.domain`) |\n| v0.9.50+ | Cumulative per-IP WAF scoring engine with configurable weights |\n| v0.9.44 | Dynamic detection rules from dashboard (SSH patterns per server) |\n| v0.9.42 | Monitor mode (detect without blocking) |\n| v0.9.40 | Bot management with allow/log/block policies |\n| v0.9.33 | ipset firewall backend (65K+ ban capacity) |\n| v0.9.27 | Security scanner (30+ hardening checks) |\n| v0.9.20 | Docker container detection and log discovery |\n| v0.9.0 | Initial WAF: 15 OWASP attack types |\n\n---\n\n## Contributing\n\nContributions are welcome. Please [open an issue](https://github.com/defensia/agent/issues) before submitting large changes.\n\n```bash\n# Build\ngo build -o defensia-agent ./cmd/defensia-agent\n\n# Run locally\n./defensia-agent start\n```\n\n---\n\n## Blog\n\n- [I analyzed 250,000 attacks on my Linux servers. Here's what I found.](https://dev.to/defensia/i-analyzed-250000-attacks-on-my-linux-servers-heres-what-i-found-20o8) — Real data from 14 production servers: SSH brute force, RCE, env probing, path traversal, and more.\n\n---\n\n## License\n\n[MIT](LICENSE) — use it however you want.\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://defensia.cloud\"\u003edefensia.cloud\u003c/a\u003e · Built for developers who run their own servers\n\u003c/p\u003e\n","funding_links":[],"categories":["Repositories / Tools"],"sub_categories":["Defending"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdefensia%2Fagent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdefensia%2Fagent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdefensia%2Fagent/lists"}