{"id":34718009,"url":"https://github.com/itcmsgr/nftban","last_synced_at":"2026-06-13T14:01:23.124Z","repository":{"id":316465424,"uuid":"1048658073","full_name":"itcmsgr/nftban","owner":"itcmsgr","description":"NFTBan is an open-source Linux Intrusion Prevention System (IPS) and firewall manager built on nftables, designed to integrate cleanly with modern Linux security stacks.","archived":false,"fork":false,"pushed_at":"2026-06-08T10:22:00.000Z","size":33681,"stargazers_count":5,"open_issues_count":7,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-08T10:23:54.596Z","etag":null,"topics":["ai-security","almalinux","centos","debian","fail2ban","firewall","firewall-management","intrusion-prevention","ips","linux","nftables","red-hat","rocky","rocky-linux","rockylinux","security","suricata","ubuntu","zabbix"],"latest_commit_sha":null,"homepage":"https://nftban.com","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/itcmsgr.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":".github/SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE.md","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-01T20:06:56.000Z","updated_at":"2026-06-08T10:20:52.000Z","dependencies_parsed_at":"2026-04-02T11:04:42.743Z","dependency_job_id":null,"html_url":"https://github.com/itcmsgr/nftban","commit_stats":null,"previous_names":["itcmsgr/nftban"],"tags_count":426,"template":false,"template_full_name":null,"purl":"pkg:github/itcmsgr/nftban","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itcmsgr%2Fnftban","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itcmsgr%2Fnftban/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itcmsgr%2Fnftban/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itcmsgr%2Fnftban/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/itcmsgr","download_url":"https://codeload.github.com/itcmsgr/nftban/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itcmsgr%2Fnftban/sbom","scorecard":{"id":1243554,"data":{"date":"2026-02-18T12:34:55Z","repo":{"name":"github.com/itcmsgr/nftban","commit":"657cb07ca98253fc673bbaa4977d5cddfd59c36c"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":7.1,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Warn: branch 'main' does not require approvers","Warn: codeowners review is not required on branch 'main'","Info: status check found to merge onto on branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"9 out of 9 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: Passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: itcms contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463","Info: GoBuiltInFuzzer integration found: pkg/parser/fuzz_test.go:463"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Mozilla Public License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/docker.yml:29"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: pipCommand not pinned by hash: cli/lib/nftban/cli/cmd_suricata_setup.sh:127","Warn: pipCommand not pinned by hash: cli/lib/nftban/setup/install_suricata.sh:298","Warn: goCommand not pinned by hash: install/download-binaries.sh:192","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:276","Warn: npmCommand not pinned by hash: .github/workflows/project-health.yml:50","Info:  68 out of  68 GitHub-owned GitHubAction dependencies pinned","Info:  13 out of  13 third-party GitHubAction dependencies pinned","Info:   2 out of   2 containerImage dependencies pinned","Info:  13 out of  14 goCommand dependencies pinned","Info:   0 out of   3 pipCommand dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (23) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":4,"reason":"2 out of the last 5 releases have a total of 2 signed artifacts.","details":["Warn: release artifact v1.15.1 not signed: https://api.github.com/repos/itcmsgr/nftban/releases/286573741","Warn: release artifact v1.15.0 not signed: https://api.github.com/repos/itcmsgr/nftban/releases/286426724","Warn: release artifact v1.14.1 not signed: https://api.github.com/repos/itcmsgr/nftban/releases/286371726","Info: provenance for release artifact: nftban-core-linux-amd64.intoto.jsonl: https://api.github.com/repos/itcmsgr/nftban/releases/assets/357794562","Info: provenance for release artifact: nftban-core-linux-amd64.intoto.jsonl: https://api.github.com/repos/itcmsgr/nftban/releases/assets/357534305","Warn: release artifact v1.15.1 does not have provenance: https://api.github.com/repos/itcmsgr/nftban/releases/286573741","Warn: release artifact v1.15.0 does not have provenance: https://api.github.com/repos/itcmsgr/nftban/releases/286426724","Warn: release artifact v1.14.1 does not have provenance: https://api.github.com/repos/itcmsgr/nftban/releases/286371726"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build-packages.yml:475","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/project-health.yml:23","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/project-health.yml:24","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:210","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:38","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecard.yml:39","Info: jobLevel 'actions' permission set to 'read': .github/workflows/slsa-go-releaser.yml:83","Info: jobLevel 'actions' permission set to 'read': .github/workflows/slsa-go-releaser.yml:102","Info: topLevel permissions set to 'read-all': .github/workflows/build-packages.yml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:31","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql.yml:31","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32","Info: topLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:33","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:22","Info: topLevel 'contents' permission set to 'read': .github/workflows/docker.yml:21","Warn: topLevel 'packages' permission set to 'write': .github/workflows/docker.yml:22","Info: topLevel 'contents' permission set to 'read': .github/workflows/docs.yml:33","Info: topLevel permissions set to 'read-all': .github/workflows/fuzz.yml:32","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/gitleaks.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/gitleaks.yml:19","Info: topLevel 'contents' permission set to 'read': .github/workflows/project-health.yml:17","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:32","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/secure-go.yml:18","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/secure-go.yml:19","Info: topLevel 'actions' permission set to 'read': .github/workflows/secure-go.yml:20","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/semgrep.yml:31","Info: topLevel 'contents' permission set to 'read': .github/workflows/semgrep.yml:32","Info: topLevel permissions set to 'read-all': .github/workflows/shellcheck.yml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/slsa-go-releaser.yml:48","Info: topLevel 'actions' permission set to 'read': .github/workflows/slsa-go-releaser.yml:49"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2026-4440","Warn: Project is vulnerable to: GO-2026-4441"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-02-18T12:40:35.020Z","repository_id":316465424,"created_at":"2026-02-18T12:40:35.020Z","updated_at":"2026-02-18T12:40:35.020Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34286976,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-13T02:00:06.617Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-security","almalinux","centos","debian","fail2ban","firewall","firewall-management","intrusion-prevention","ips","linux","nftables","red-hat","rocky","rocky-linux","rockylinux","security","suricata","ubuntu","zabbix"],"created_at":"2025-12-25T01:20:21.756Z","updated_at":"2026-06-13T14:01:23.100Z","avatar_url":"https://github.com/itcmsgr.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NFTBan\n\n**Linux Intrusion Prevention System \u0026 nftables Firewall Manager**\n\n[![Version](https://img.shields.io/github/v/tag/itcmsgr/nftban?label=version\u0026sort=semver\u0026color=blue)](https://github.com/itcmsgr/nftban/releases)\n[![License: MPL 2.0](https://img.shields.io/badge/License-MPL%202.0-brightgreen.svg)](https://opensource.org/licenses/MPL-2.0)\n[![Go](https://img.shields.io/badge/Go-1.25-00ADD8.svg)](https://go.dev/)\n[![FHS Compliant](https://img.shields.io/badge/FHS-Compliant-success)]()\n\n### CI/CD Status\n\n[![Shell Quality](https://github.com/itcmsgr/nftban/actions/workflows/ci-bash.yml/badge.svg)](https://github.com/itcmsgr/nftban/actions/workflows/ci-bash.yml)\n[![Go Quality](https://github.com/itcmsgr/nftban/actions/workflows/ci-go.yml/badge.svg)](https://github.com/itcmsgr/nftban/actions/workflows/ci-go.yml)\n[![Architecture](https://github.com/itcmsgr/nftban/actions/workflows/ci-architecture.yml/badge.svg)](https://github.com/itcmsgr/nftban/actions/workflows/ci-architecture.yml)\n[![Build Packages](https://github.com/itcmsgr/nftban/actions/workflows/build-packages.yml/badge.svg)](https://github.com/itcmsgr/nftban/actions/workflows/build-packages.yml)\n[![Release](https://github.com/itcmsgr/nftban/actions/workflows/release.yml/badge.svg)](https://github.com/itcmsgr/nftban/actions/workflows/release.yml)\n\n### Security \u0026 Supply Chain\n\n[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)\n[![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/itcmsgr/nftban?label=OpenSSF%20Scorecard)](https://securityscorecards.dev/viewer/?uri=github.com/itcmsgr/nftban)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/11959/badge)](https://www.bestpractices.dev/projects/11959)\n[![CodeQL](https://github.com/itcmsgr/nftban/actions/workflows/codeql.yml/badge.svg)](https://github.com/itcmsgr/nftban/actions/workflows/codeql.yml)\n[![OSV-Scanner](https://github.com/itcmsgr/nftban/actions/workflows/osv-scanner.yml/badge.svg)](https://github.com/itcmsgr/nftban/actions/workflows/osv-scanner.yml)\n[![gitleaks](https://github.com/itcmsgr/nftban/actions/workflows/gitleaks.yml/badge.svg)](https://github.com/itcmsgr/nftban/actions/workflows/gitleaks.yml)\n\n---\n\nNFTBan is an open-source Linux Intrusion Prevention System (IPS) and firewall\nmanager built on nftables, designed to integrate cleanly with modern Linux\nsecurity stacks.\n\nAll packet decisions (accept, drop, bypass) are enforced in the nftables kernel.\nThe Go daemon writes to kernel sets. The Go validator derives health from kernel\nstate. The CLI presents kernel-derived truth.\n\n### What NFTBan Provides\n\n- nftables-native enforcement with kernel-managed timeouts\n- Threat feed ingestion with CIDR aggregation\n- Country blocking via GeoIP (DB-IP Lite default)\n- Login brute-force detection across SSH, mail, FTP, panel services\n- Port scan detection (classic + Suricata modes)\n- L3/L4 rate limiting and connection limits\n- Set-driven SSH brute-force connection-rate-limit (`tcp dport @ssh_ports ct count`) — follows every detected sshd listener port across IPv4/IPv6\n- HTTP bot classification with 6 dedicated kernel sets\n- Optional Suricata DPI integration (EVE JSON)\n- 4-axis health model with kernel-derived truth validator\n- Atomic nftables schema rebuild (validate before load)\n- 5-phase installer with emergency SSH table\n\n---\n\n## Truth Authority\n\n| Priority | Component | Role |\n|---|---|---|\n| 1 | **Kernel** (`nft list ruleset`) | What is actually enforcing |\n| 2 | **Validator** (`nftban-validate`) | Derives health from kernel evidence |\n| 3 | **CLI** (`nftban`) | Presents validator output to operator |\n| 4 | **Config** (`/etc/nftban/`) | Operator intent (not runtime truth) |\n\nWhen sources disagree, kernel wins.\n\n---\n\n## Evidence Model\n\nNFTBan derives protection state from kernel-observable evidence:\n\n| Evidence | Meaning | Strength |\n|---|---|---|\n| Counter \u003e 0 | Packet processing observed | Strong |\n| Set membership \u003e 0 | State present in kernel | Strong |\n| Structure exists | Rules/chains present | Weak (presence only) |\n| Journal event | External event (daemon/logs) | Context-dependent |\n\nInterpretation rules:\n\n- Counter \u003e 0 = positive evidence of enforcement\n- Counter = 0 = neutral (not a failure)\n- Structure alone does not imply enforcement\n- Absence of evidence is not evidence of absence\n\n---\n\n## Protection Modules\n\n| Module | Layer | Evidence | Daemon |\n|---|---|---|---|\n| **DDoS Protection** | L3/L4 | 5 dedicated kernel counters | NO |\n| **BotGuard** | L7 HTTP | 6 dedicated kernel sets | YES |\n| **Portscan Detection** | L3/L4 | Structure only (no counter) | NO |\n| **Login Monitoring** | L2 Auth | Journal + shared sets | YES |\n| **Blacklist \u0026 Feeds** | L1 IP | Shared sets + counters | Partial |\n| **Suricata IDS** | L7 DPI | EVE JSON (external) | YES |\n| **DNS Tunnel** | Advisory | DNS analysis (non-blocking) | YES |\n\n---\n\n## Quick Install\n\n\u003e All tiers below are built, released, and install-tested in CI every release. Tiers reflect **recommendation/age**, not support level: **Tier 0** = primary/recommended · **Tier 1** = newer releases · **Tier 2** = older LTS still supported.\n\n### Tier 0 — Primary Platforms\n\n#### Ubuntu 24.04 LTS (Noble)\n```bash\nwget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu24.04-amd64.deb\nsudo apt install -y ./nftban-ubuntu24.04-amd64.deb\n```\n\n#### Ubuntu 26.04 LTS (Resolute Raccoon)\n```bash\nwget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu26.04-amd64.deb\nsudo apt install -y ./nftban-ubuntu26.04-amd64.deb\n```\n\n#### Debian 12 (Bookworm)\n```bash\nwget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian12-amd64.deb\nsudo apt install -y ./nftban-debian12-amd64.deb\n```\n\n#### Rocky / AlmaLinux / RHEL 9\n```bash\nwget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el9-x86_64.rpm\nsudo dnf install -y ./nftban-el9-x86_64.rpm\n```\n\n### Tier 1 — Newer Platforms\n\n#### Debian 13 (Trixie)\n```bash\nwget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian13-amd64.deb\nsudo apt install -y ./nftban-debian13-amd64.deb\n```\n\n#### Rocky / AlmaLinux / RHEL 10\n```bash\nwget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el10-x86_64.rpm\nsudo dnf install -y ./nftban-el10-x86_64.rpm\n```\n\n### Tier 2 — Legacy Platforms\n\n#### Ubuntu 22.04 LTS (Jammy)\n```bash\nwget https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu22.04-amd64.deb\nsudo apt install -y ./nftban-ubuntu22.04-amd64.deb\n```\n\n---\n\n## Available Packages\n\n### RPM Packages (EL Family)\n\n| Tier | Distribution | Version | Package |\n|------|--------------|---------|---------|\n| 0 | Rocky / Alma / RHEL / CentOS Stream | 9 | [nftban-el9-x86_64.rpm](https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el9-x86_64.rpm) |\n| 1 | Rocky / Alma / RHEL / CentOS Stream | 10 | [nftban-el10-x86_64.rpm](https://github.com/itcmsgr/nftban/releases/latest/download/nftban-el10-x86_64.rpm) |\n\n### DEB Packages (Ubuntu + Debian)\n\n| Tier | Distribution | Version | Package |\n|------|--------------|---------|---------|\n| 0 | Ubuntu | 24.04 (Noble) | [nftban-ubuntu24.04-amd64.deb](https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu24.04-amd64.deb) |\n| 0 | Ubuntu | 26.04 (Resolute Raccoon) | [nftban-ubuntu26.04-amd64.deb](https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu26.04-amd64.deb) |\n| 0 | Debian | 12 (Bookworm) | [nftban-debian12-amd64.deb](https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian12-amd64.deb) |\n| 1 | Debian | 13 (Trixie) | [nftban-debian13-amd64.deb](https://github.com/itcmsgr/nftban/releases/latest/download/nftban-debian13-amd64.deb) |\n| 2 | Ubuntu | 22.04 (Jammy) | [nftban-ubuntu22.04-amd64.deb](https://github.com/itcmsgr/nftban/releases/latest/download/nftban-ubuntu22.04-amd64.deb) |\n\n\u003e Packages are distro-specific and FHS compliant. Use the package matching your exact distribution version. See [Supported Platforms](https://github.com/itcmsgr/nftban/wiki/Supported-Platforms) for the full platform contract.\n\n---\n\n## Quick Start\n\n```bash\n# Check system health (kernel-derived truth)\nnftban health\n\n# Check validator output directly\nnftban-validate --json\n\n# Enable modules\nnftban ddos enable\nnftban portscan enable\nnftban botguard enable\nnftban login enable\nnftban geoban enable\n\n# Common operations\nnftban ban 1.2.3.4                       # permanent ban\nnftban ban 1.2.3.4 --timeout 3600        # 1-hour ban (positive integer seconds)\nnftban unban 1.2.3.4\nnftban status\n```\n\n`--timeout` requires a positive integer (seconds) — non-integer / negative /\nzero / fractional / signed / hex / leading-zero values are rejected at parse\ntime with a clear ERROR (since v1.141.0). Omit `--timeout` for a permanent ban.\n\n---\n\n## Health States\n\n| State | Meaning | Exit |\n|---|---|---|\n| **PROTECTED** | All axes pass, system capable of enforcement | 0 |\n| **IDLE** | All axes pass, no relevant traffic | 0 |\n| **DEGRADED** | One or more axes fail | 1 |\n| **DOWN** | Critical failure | 2 |\n\n```bash\nnftban health           # 4-axis truth table\nnftban-validate --json  # full validator output\n```\n\n---\n\n## Validator Scope\n\nThe validator is kernel-first and derives truth from observable evidence.\nKernel-resident evidence (counters, sets, chains) is authoritative for\nenforcement state. Some module-specific runtime evidence may come from\nbounded daemon or journal observations where defined by the module contract.\n\nCurrent scope boundaries:\n\n- Portscan: no dedicated kernel counter — enforcement cannot be proven\n- LoginMon: journal-based evidence — may enforce while validator reports IDLE\n- Blacklist: shared counters — per-source attribution not possible from kernel\n\nThe validator reports observable truth, not complete system behavior.\n\n---\n\n## Architecture\n\n```\nKernel (nftables)     ← packet decisions enforced here\n  ↑ reads\nGo validator          ← derives health state\n  ↑ reads\nCLI (nftban)          ← presents to operator\n  ↑ reads\nConfig (/etc/nftban/) ← operator intent\n```\n\n| Component | Type | Purpose |\n|---|---|---|\n| `nftban` | Shell CLI | Operator interface, schema generation |\n| `nftband` | Go daemon | Ban execution, loginmon, BotGuard scoring |\n| `nftban-validate` | Go binary | Read-only kernel truth validator (~1ms) |\n\n---\n\n## Core Invariants\n\nThe following rules define NFTBan behavior:\n\n1. Kernel is the only enforcement authority\n2. Validator derives truth from kernel state\n3. CLI presents validator output only\n4. Configuration expresses intent, not runtime state\n5. Shared evidence cannot be used for attribution\n\nThese invariants are enforced by validation logic and CI gates.\n\n---\n\n## Metrics and Observability\n\nThe daemon exposes runtime metrics on `http://127.0.0.1:9580/metrics`\n(localhost only, Prometheus text exposition format). This is the canonical\nruntime metrics surface. As of v1.89, the evidence layer reads all kernel\ndata from the validator — no duplicate nft queries.\n\nThe watchdog subsystem provides adaptive resource control. It monitors\nprocess, Go runtime, and kernel metrics, and adjusts operating mode\n(NORMAL → DEGRADED → SURVIVAL) based on memory and CPU pressure.\nServer profile detection (Small/Medium/Large) automatically tunes memory\nbudgets and CIDR limits based on available RAM.\n\n---\n\n## Go Module Notice\n\nNFTBan is a **system-level firewall product**, not a general-purpose Go library.\n\n### Supported Public Packages\n\n| Package | Purpose |\n|---|---|\n| [`pkg/ipc`](https://pkg.go.dev/github.com/itcmsgr/nftban/pkg/ipc) | IPC client for daemon communication |\n| [`pkg/version`](https://pkg.go.dev/github.com/itcmsgr/nftban/pkg/version) | Version information |\n\nAll packages under `internal/` are implementation details.\n\n---\n\n## Requirements\n\n- **Linux**: Rocky / Alma / RHEL 9–10, Ubuntu 22.04 / 24.04 / **26.04 LTS (Resolute Raccoon)**, Debian 12 / 13\n- **nftables**: 1.0+\n- **Bash**: 4.4+\n- **systemd**: 252+\n- **jq**: JSON processor\n- **Go 1.24+**: For building from source (optional)\n\nUbuntu 26.04 LTS is **Tier-0 (fully supported)** since v1.140.0 — see the\n[Quick Install — Tier 0](#tier-0--primary-platforms) section and the\n[DEB Packages](#deb-packages-ubuntu--debian) table for the install snippet\nand `.deb` URL.\n\n---\n\n## Security\n\nSLSA Level 3 provenance, 9 automated security tools (CodeQL, OSV-Scanner,\ngitleaks, Trivy, gosec, ShellCheck, Semgrep, Fuzz, Dependency Review),\nSBOM with every release, all GitHub Actions SHA-pinned.\n\nSee [SECURITY.md](SECURITY.md) for vulnerability reporting and full pipeline details.\n\n---\n\n## Documentation\n\n| Section | Link |\n|---|---|\n| **Wiki Home** | [Complete documentation](https://github.com/itcmsgr/nftban/wiki) |\n| **Architecture** | [System design + truth model](https://github.com/itcmsgr/nftban/wiki/Architecture-Overview) |\n| **Health Model** | [4-axis derivation](https://github.com/itcmsgr/nftban/wiki/Health-Model) |\n| **CLI Reference** | [All commands + trust levels](https://github.com/itcmsgr/nftban/wiki/CLI-Commands-Reference) |\n| **Glossary** | [Canonical terminology](https://github.com/itcmsgr/nftban/wiki/Glossary-and-Vocabulary) |\n| **Known Limitations** | [Validator scope per module](https://github.com/itcmsgr/nftban/wiki/Known-Limitations-and-Validation-Scope) |\n| **Installation** | [Install guide](https://github.com/itcmsgr/nftban/wiki/Installation-Guide) |\n\n---\n\n## License\n\nNFTBan Core is licensed under the **Mozilla Public License 2.0 (MPL-2.0)**.\n\nCopyright (c) 2024-2026 NFTBan Project / Antonios Voulvoulis\n\nMPL-2.0 is file-level copyleft: you may use, modify, and distribute freely.\nModified MPL files must remain open. Your own separate code is unaffected.\n\n| Layer | License |\n|---|---|\n| Core engine | MPL-2.0 |\n| Pro portal | Commercial |\n| Brand assets | All rights reserved |\n\nSee [LICENSE](LICENSE) for full text. \"NFTBan\" is a trademark — forks must use\na different name. See [TRADEMARK.md](TRADEMARK.md).\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003eNFTBan — Linux IPS \u0026 nftables Firewall Manager\u003c/b\u003e\u003cbr\u003e\n  \u003ca href=\"https://nftban.com\"\u003enftban.com\u003c/a\u003e |\n  \u003ca href=\"https://github.com/itcmsgr/nftban/issues\"\u003eReport Issue\u003c/a\u003e |\n  \u003ca href=\"https://github.com/itcmsgr/nftban/discussions\"\u003eDiscussions\u003c/a\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitcmsgr%2Fnftban","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fitcmsgr%2Fnftban","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitcmsgr%2Fnftban/lists"}