{"id":44228402,"url":"https://github.com/duggytuxy/syswarden","last_synced_at":"2026-06-06T09:01:46.284Z","repository":{"id":337453069,"uuid":"1153695079","full_name":"duggytuxy/syswarden","owner":"duggytuxy","description":"🐧 SysWarden is an Enterprise-grade Default-Deny Host Intrusion Prevention System (HIPS) designed for critical Linux infrastructure.","archived":false,"fork":false,"pushed_at":"2026-05-30T23:27:04.000Z","size":2365,"stargazers_count":248,"open_issues_count":0,"forks_count":23,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-31T01:18:30.637Z","etag":null,"topics":["abuseipdb-integration","blocklists","cybersecurity-tools","docker-security","fail2ban","firewall","firewall-configuration","firewall-rules","firewalld","ipset-lists","iptables","ipv4-address","linux","malicious-ips","nftables","security-tools","syswarden","ufw","wazuh","wireguard"],"latest_commit_sha":null,"homepage":"https://syswarden.io","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/duggytuxy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":null,"patreon":null,"open_collective":null,"ko_fi":"laurentmduggytuxy","tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":null,"thanks_dev":null}},"created_at":"2026-02-09T15:37:52.000Z","updated_at":"2026-05-30T23:27:07.000Z","dependencies_parsed_at":"2026-04-02T11:02:39.896Z","dependency_job_id":null,"html_url":"https://github.com/duggytuxy/syswarden","commit_stats":null,"previous_names":["duggytuxy/syswarden"],"tags_count":46,"template":false,"template_full_name":null,"purl":"pkg:github/duggytuxy/syswarden","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duggytuxy%2Fsyswarden","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duggytuxy%2Fsyswarden/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duggytuxy%2Fsyswarden/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duggytuxy%2Fsyswarden/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/duggytuxy","download_url":"https://codeload.github.com/duggytuxy/syswarden/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duggytuxy%2Fsyswarden/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33975476,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-06T02:00:07.033Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abuseipdb-integration","blocklists","cybersecurity-tools","docker-security","fail2ban","firewall","firewall-configuration","firewall-rules","firewalld","ipset-lists","iptables","ipv4-address","linux","malicious-ips","nftables","security-tools","syswarden","ufw","wazuh","wireguard"],"created_at":"2026-02-10T06:02:31.391Z","updated_at":"2026-06-06T09:01:46.279Z","avatar_url":"https://github.com/duggytuxy.png","language":"Shell","funding_links":["https://ko-fi.com/laurentmduggytuxy"],"categories":["linux"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/duggytuxy/syswarden/actions/workflows/package.yml\"\u003e\n    \u003cimg src=\"https://github.com/duggytuxy/syswarden/actions/workflows/package.yml/badge.svg\" alt=\"SysWarden Builder and Packager\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/duggytuxy/syswarden/blob/main/LICENSE\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/license/duggytuxy/syswarden?logo=license\" alt=\"GitHub License\"\u003e\n  \u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Platform-Linux_Universal-0052cc?logo=linux\" alt=\"Linux Universal\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Open%20Source-100%25-brightgreen?logo=opensourceinitiative\" alt=\"Open Source\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Compliance-EU_CRA_Ready-003399?logo=shield\u0026logoColor=white\" alt=\"EU CRA Ready\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Compliance-ISO27001_Ready-003399?logo=shield\u0026logoColor=white\" alt=\"ISO27001 Ready\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Compliance-NIS2_Ready-3DD407?logo=shield\u0026logoColor=white\" alt=\"NIS2 Ready\"\u003e\n\n  \u003cbr\u003e\n\n  \u003ca href=\"https://github.com/duggytuxy/syswarden/actions/workflows/compliance.yml\"\u003e\n    \u003cimg src=\"https://github.com/duggytuxy/syswarden/actions/workflows/compliance.yml/badge.svg\" alt=\"Plumber Compliance\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/duggytuxy/syswarden/actions/workflows/scorecard.yml\"\u003e\n    \u003cimg src=\"https://github.com/duggytuxy/syswarden/actions/workflows/scorecard.yml/badge.svg\" alt=\"OSSF Scorecard Supply Chain Security\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/duggytuxy/syswarden/actions/workflows/security-audit.yml\"\u003e\n    \u003cimg src=\"https://github.com/duggytuxy/syswarden/actions/workflows/security-audit.yml/badge.svg\" alt=\"SysWarden Security Audit\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/duggytuxy/syswarden/actions/workflows/dependabot/dependabot-updates\"\u003e\n    \u003cimg src=\"https://github.com/duggytuxy/syswarden/actions/workflows/dependabot/dependabot-updates/badge.svg\" alt=\"Dependabot Updates\"\u003e\n  \u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Security-Hardened-darkred?logo=security\" alt=\"Hardened\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Status-Production_Ready-blue?logo=status\" alt=\"Production Ready\"\u003e\n\u003c/p\u003e\n\n# SysWarden\n\n**SysWarden** is an Enterprise-grade Hardened Host Intrusion Detection \u0026 Prevention System (HIDS - HIPS) designed for critical Linux infrastructure. It enforces automated a part of CIS Level 2 hardening, integrates global Threat Intelligence, and orchestrates dynamic network defense with a near-zero performance overhead.\n\nIt acts as a ruthless first line of defense. By fusing dynamic firewall orchestration (`nftables`/`iptables`), global Threat Intelligence ([Data-Shield IPv4](https://github.com/duggytuxy/Data-Shield_IPv4_Blocklist), GeoIP, ASN), a reactive HIPS (optimized Fail2ban), and SIEM alert routing, SysWarden filters out Internet \"background noise\" and neutralizes threats at the network (L2/L3/L4) and application (L7) levels. It perfectly complements modern EDR/XDR architectures by drastically reducing their analysis surface and the server's CPU load.\n\n\u003e [!IMPORTANT]\n\u003e Designed for critical infrastructures, SysWarden automates server hardening to accelerate your **ISO 27001, NIS2, and CIS Benchmark** compliance.\n\n## Enterprise-Grade Features\n\n**Core Network Defense (Hardware \u0026 Layer 2/3)**\n* Injects Threat Intelligence directly into the `netdev` table under `nftables` (or `raw PREROUTING` under `iptables`). Malicious packets are destroyed right at the Network Interface Card (NIC), entirely bypassing kernel routing and the `conntrack` module to guarantee zero CPU impact during volumetric DDoS attacks.\n* Automatically blocks hostile countries (GeoIP), known cybercrime hosters, and rogue Autonomous System Numbers (ASN), instantly eliminating 97% of unwanted traffic.\n\n**Stateful \u0026 Protocol Optimization (Layer 3/4)**\n* Implements UFW-grade stateful enforcement by silently destroying late `FIN-ACK`/`RST` packets on expired `conntrack` sessions, and strictly blocking `NEW` connections lacking the `SYN` flag. This absolutely eradicates log pollution and false-positive portscan detections on active service ports, crucial for highly federated and mobile-heavy environments.\n* Modern web protocols are natively supported. SysWarden automatically binds and provisions `UDP/443` whenever `TCP/443` is permitted, preventing aggressive QUIC handshake drops at the Zero-Trust Catch-All layer and ensuring seamless HTTP/3 operation behind the firewall.\n\n**Application Security \u0026 Active Response (Layer 7)**\n* Protects 56+ vital services (Docker, Nginx, Databases, CMS) using deeply restructured and hardened Fail2ban \"jails\", ensuring a near-zero memory footprint and deadly accuracy (payload escaping, bypass prevention).\n* Seamlessly integrates [OWASP ModSecurity (v3.0.15)](https://github.com/owasp-modsecurity/ModSecurity) via the `syswarden-waf.sh` component, providing deep HTTP traffic inspection.\n* Natively interfaces with the AbuseIPDB network to proactively report attackers and share telemetry.\n\n**Hardened \u0026 Compliance Architecture**\n* Optional surgical hardening of the kernel (eBPF, ASLR, source routing), memory (core dumps limits), SSH, and filesystems. It strictly conforms to CIS Level 2 requirements without breaking modern containerized production stacks.\n* Hides your SSH port and administrative interfaces behind a stealthy WireGuard VPN tunnel, deployed seamlessly.\n* Integrates with `rsyslog` to natively forward only high-value behavioral bans (Layer 7) to your SOC/SIEM (e.g., Wazuh). Intentionally filters out Layer 3 noise to prevent index saturation and control ingestion costs.\n* Securely replicates Threat Intelligence states, whitelists, and configurations to passive nodes via an SSH-encrypted cron job.\n\n**Observability \u0026 Lifecycle Management**\n* Monitor active threats, blocked IPs, and system health via a secure, Dashboard TUI and a dedicated CLI interface.\n* The uninstallation routine performs a deep cleanup. It safely reverts all CIS Level 2 configurations (sysctl, modprobe, cron permissions), eradicates custom `netdev` and `raw` tables, and instantly restores the OS to its pristine original state without requiring a reboot.\n\n\u003e [!NOTE]\n\u003e **For CISOs and CIOs (Strategic Impact):** This architecture translates zero-trust policies into strict technical controls. By offloading volumetric mitigation to the network edge (L2/L3/L4) and forwarding only high-fidelity Layer 7 behavioral data, SysWarden drastically reduces SIEM ingestion costs, prevents kernel resource exhaustion, and guarantees operational continuity under hostile conditions.\n\n## Hardware-Aware Hardened Architecture\n\n\u003e [!IMPORTANT]\n\u003e SysWarden doesn't just stack firewall rules; it orchestrates the Linux network stack to neutralize threats before they consume your resources:\n\n1. OSINT blocklists, hostile ASNs, and GeoIP filtering are applied at the lowest hardware level (NIC Ingress hook). Packets are destroyed before entering kernel routing or state tracking (`conntrack`), preventing memory exhaustion and guaranteeing zero CPU impact during volumetric attacks.\n2. Prevents log flooding and false-positive portscan detections in highly federated networks (CGNAT). Silently destroys late `FIN-ACK`/`RST` packets on expired `conntrack` sessions, and strictly drops invalid TCP connection noise (e.g., `NEW` packets lacking the `SYN` flag).\n3. Legitimate established connections, dynamic container traffic (e.g., `DOCKER-USER` chain), and Web Protocol Datagrams (HTTP/3 QUIC mapped to UDP/443) are prioritized. This stateful bypass guarantees zero latency for your production application traffic.\n4. The active defense layer analyzes application logs (via `systemd` journald) in real time. Any behavioral anomaly (brute-force, SQLi, LFI) triggers a surgical \"AllPorts\" ban that dynamically synchronizes the IP with the hardware drop tables.\n5. The attack surface is hermetically sealed. Any incoming traffic not explicitly authorized by the administrator or the automatic service discovery engine is silently dropped, enforcing a strict Hardened doctrine.\n\n## Supported Operating Systems \u0026 Firewall Backends\n\nSysWarden dynamically adapts to the native firewall orchestration engines of modern enterprise Linux distributions. The architecture relies on deep `systemd` integration and natively binds to the following ecosystems:\n\n| Operating System | Native Firewall Engine(s) Supported | Status |\n| :--- | :--- | :--- |\n| **Debian 13 (Trixie)** | `nftables`, `iptables` | Enterprise Ready |\n| **Debian 12 (Bookworm)** | `nftables`, `iptables` | Enterprise Ready |\n| **Ubuntu 24.04+** | `ufw`, `nftables`, `iptables` | Enterprise Ready |\n| **RHEL 9+** | `firewalld`, `nftables`, `iptables` | Enterprise Ready |\n| **Rocky Linux 9+** | `firewalld`, `nftables`, `iptables` | Enterprise Ready |\n| **AlmaLinux 9+** | `firewalld`, `nftables`, `iptables` | Enterprise Ready |\n| **Oracle Linux 10+** | `firewalld`, `nftables`, `iptables` | Enterprise Ready |\n| **CentOS Stream 9+** | `firewalld`, `nftables`, `iptables` | Enterprise Ready |\n| **Fedora 40+** | `firewalld`, `nftables`, `iptables` | Production Ready |\n\n## The \"Fortress\" Dashboard (TUI \u0026 CLI)\n\n\u003e [!NOTE]\n\u003e SysWarden provides unified terminal-based observability and alerting, ensuring total situational awareness without the bloat of a complex database (like ELK or InfluxDB) or exposing vulnerable web ports.\n\n**Interactive TUI Dashboard**\n* Track L7 behavioral bans in real time directly from your console.\n* Visualize top OSINT offenders, blocked ASNs, and GeoIP interception stats, leveraging a secure, localized `data.json` engine.\n* Monitor the near-zero memory footprint of the underlying firewall engine.\n* *(Fully integrated within the terminal to maintain a strict zero-trust attack surface without exposing port 9999).*\n\n**Orchestration, Alerting \u0026 Interactive CLI**\n* Securely dispatch Layer 7 IP ban events directly to **Discord** or **Microsoft Teams**. Engineered with strict transport security (HTTPS/TLS 1.2+ enforced) and payload sanitization to prevent SSRF or command injection attacks.\n* Manage your infrastructure directly from the shell via `syswarden-manager` (instant visibility into blocks, whitelists, and rule idempotency).\n* The deployment process provides precise, color-coded visual feedback on OS hardening, SIEM integration, Webhook provisioning, and the successful application of Hardened policies.\n\n## Strategic Roadmap\n\n\u003e [!NOTE]\n\u003e The development lifecycle of SysWarden follows a strict DevSecOps pipeline aimed at reinforcing the observability and interoperability of the Hardened architecture.\n\n| Version | Milestone Target | Status |\n| :---: | :--- | :---: |\n| **v0.50.** | L7 - IPv4 Blocked to New Blocklist L2/L3 | ✅ |\n| **v0.60.** | ... | ❓ |\n| **v0.70.** | ... | ❓ |\n| **v0.80.** | ... | ❓ |\n| **v0.90.** | ... | ❓ |\n| **v1.00.** | ... | 🙈 |\n\n## Installation Guide\n\nSysWarden is distributed as a pre-compiled, self-contained shell script. All complex modules are bundled into a single deployment artifact.\n\nTwo installation methods are supported: a standard interactive mode, and an \"Enterprise Hardened\" mode for environments requiring strict supply chain validation.\n\n### 1. Quick Installation (Standard)\n\n\u003e [!IMPORTANT]\n\u003e Supported OS: *Debian 12+, Ubuntu 24.04+, RHEL 9+, Oracle Linux 10+, Fedora 43+, CentOS Stream, AlmaLinux 10+ \u0026 Rocky Linux 9+*.\n\n```bash\n# Clone the repository and enter the directory (as root)\ncd /usr/local/bin\ngit clone https://github.com/duggytuxy/syswarden.git\ncd syswarden || exit\n\n# Make the builder executable and compile the artifact\nchmod +x build.sh\n./build.sh\n\n# Navigate to the distribution folder and execute the installation\ncd dist/ || exit\n./install-syswarden.sh\n```\n\n### 2. Quick Installation (Package .deb \u0026 .rpm)\n\n```bash\n# Download the appropriate package for your distribution and its associated checksum file from the assets below\nwget https://github.com/duggytuxy/syswarden/releases/download/\u003cversion\u003e/*.deb\nor\nwget https://github.com/duggytuxy/syswarden/releases/download/\u003cversion\u003e/*.rpm\nand\nwget https://github.com/duggytuxy/syswarden/releases/download/\u003cversion\u003e/*.txt (SHA256SUMS)\n\n# Verify Integrity\nsha256sum -c SHA256SUMS.txt --ignore-missing\n\n# For Debian/Ubuntu systems\napt-get install -y ./syswarden_\u003cversion\u003e_all.deb\n\n## Review or modify the auto-configuration file if needed before execution and install the solution\nnano /opt/syswarden/syswarden-auto.conf\nsyswarden /opt/syswarden/syswarden-auto.conf\n\n# For RHEL/AlmaLinux/Rocky systems\ndnf install -y ./syswarden-\u003cversion\u003e-1.noarch.rpm\n\n## Review or modify the auto-configuration file if needed before execution and install the solution\nnano /opt/syswarden/syswarden-auto.conf\nsyswarden /opt/syswarden/syswarden-auto.conf\n```\n\n### 3. Enterprise Installation (Hardened / SLSA Level 3)\n\nSysWarden releases are cryptographically signed using GitHub Artifact Attestations to guarantee supply chain integrity. For environments compliant with ISO 27001 or NIS2, it is imperative to verify the script's provenance before execution.\n\n```bash\n# 1. Download the release bundle\ncd /usr/local/bin\nwget https://github.com/duggytuxy/syswarden/releases/latest/download/syswarden-release.tar.gz\n\n# 2. Verify the cryptographic attestation using the official GitHub CLI\ngh attestation verify syswarden-release.tar.gz --owner duggytuxy\n\n# 3. If the verification is successful (exit code 0), extract and run\ntar -xzf syswarden-release.tar.gz\nchmod +x install-syswarden.sh\n./install-syswarden.sh\n```\n\n### 4. Automated / Headless Deployment (CI/CD)\n\nSysWarden can be deployed without any human interaction using a configuration file, ideal for Ansible, Terraform, or Cloud-init pipelines.\n\n```bash\n# Copy the configuration template to the distribution directory\ncp syswarden-auto.conf dist/\n\n# Navigate to the distribution directory\ncd dist/ || exit\n\n# Secure the configuration file permissions\nchmod 600 syswarden-auto.conf (modify if needed)\n\n# Execute the silent installation with root privileges\n./install-syswarden.sh syswarden-auto.conf\n```\n\n### 5.Quick uninstall (root)\n\nProperly uninstalls SysWarden while preserving your original, legitimate network settings.\n\n```bash\n./install-syswarden.sh uninstall\n```\n\n## Documentation\n\nTo learn everything about the SysWarden ecosystem, explore detailed configurations, and read advanced usage guides, visit our [official documentation page](https://github.com/duggytuxy/syswarden/wiki/Deployment-Tutorial)\n\n## Target and support\n\n\u003e Goal: €5,000/year to fund continuous DevSecOps improvements and infrastructure.\n\nDeveloping **SysWarden** and maintaining the zero-false-positive **Data-Shield IPv4 blocklists** requires dedicated server infrastructure and non-stop threat monitoring.\n\nReaching this annual goal guarantees my 100% independence, funding a continuous development cycle without corporate constraints. Your support directly pays for the servers and keeps these enterprise-grade cybersecurity tools free, updated, and accessible to everyone.\n\nLet's build a safer internet together!\n\n[![Support on Ko-Fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/laurentmduggytuxy)\n\n## License\n\nSysWarden is free and open-source software distributed under the **GNU General Public License v3.0 (GPLv3)**.\n\nYou are free to use, modify, and distribute this software in compliance with the license terms. [LICENSE](/LICENSE) file for more details.\n\n*Developed and maintained by DuggyTuxy (Laurent M.).*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduggytuxy%2Fsyswarden","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fduggytuxy%2Fsyswarden","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduggytuxy%2Fsyswarden/lists"}