https://github.com/defensia/agent
Lightweight security agent for Linux servers — SSH brute force, WAF, bot detection, Docker/Kubernetes native. Deploy via curl, Docker, Helm.
https://github.com/defensia/agent
bot-detection brute-force container-security daemonset docker firewall go helm helm-chart intrusion-detection kubernetes linux linux-security owasp security server-security ssh waf
Last synced: 13 days ago
JSON representation
Lightweight security agent for Linux servers — SSH brute force, WAF, bot detection, Docker/Kubernetes native. Deploy via curl, Docker, Helm.
- Host: GitHub
- URL: https://github.com/defensia/agent
- Owner: defensia
- License: mit
- Created: 2026-03-10T15:21:16.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-04-04T09:49:31.000Z (23 days ago)
- Last Synced: 2026-04-04T11:40:02.975Z (23 days ago)
- Topics: bot-detection, brute-force, container-security, daemonset, docker, firewall, go, helm, helm-chart, intrusion-detection, kubernetes, linux, linux-security, owasp, security, server-security, ssh, waf
- Language: Go
- Homepage: https://defensia.cloud
- Size: 9.05 MB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-k8s-security - Defensia - WAF, intrusion detection, and automated blocking for Kubernetes nodes and Linux servers
README
Server security that installs in 30 seconds
Lightweight Go agent that detects attacks in real time and blocks them automatically.
SSH brute force, WAF, bot management, Docker and Kubernetes — zero configuration.
Website ·
Docs ·
Install Guide ·
Pricing ·
Issues
---
## The problem
The average Linux VPS receives its first automated attack **within 4 minutes** of going online. SSH brute force, web exploits, bot scraping, port scans.
Most developers find out when it's already too late — or never.
**fail2ban** blocks after the fact, with no visibility. **CrowdSec** requires complex setup. Enterprise tools cost $20-200+/host.
Defensia fills the gap: **one command to install, real-time dashboard, automatic blocking, €9/server**.
## Quick start
```bash
# Linux (one-liner)
curl -fsSL https://defensia.cloud/install.sh | sudo bash -s -- --token
# Docker
docker run -d --name defensia-agent --restart unless-stopped \
--network host --pid host \
-v /var/log:/var/log:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-e DEFENSIA_TOKEN= \
ghcr.io/defensia/agent:latest
# Kubernetes (Helm)
helm install defensia-agent \
oci://ghcr.io/defensia/charts/defensia-agent \
--set config.organizationApiKey= \
--namespace defensia-system --create-namespace
```
> **[Get your token at defensia.cloud](https://defensia.cloud)** — free tier includes 1 server with full protection.
---
## Why Defensia
| | fail2ban | CrowdSec | BitNinja | **Defensia** |
|---|:---:|:---:|:---:|:---:|
| Real-time dashboard | — | Paid ($2K+/yr) | Yes | **Yes** |
| One-command install | — | — | cPanel only | **Yes** |
| SSH detection | Yes | Yes | Yes | **Yes (15 patterns)** |
| Web Application Firewall | — | Partial | Yes | **Yes (15 OWASP types)** |
| Bot management | — | — | Yes | **Yes (70+ fingerprints)** |
| Docker container awareness | — | — | — | **Yes** |
| Kubernetes / Helm | — | Yes | — | **Yes (DaemonSet)** |
| Monitor mode (detect only) | — | — | — | **Yes** |
| Works on any Linux | Yes | Yes | cPanel/Plesk | **Yes** |
| Price | Free | Free / $2K+ | €14-52/srv | **€9/srv** |
---
## What it detects
### SSH & brute force
15 detection patterns: failed passwords, invalid users, PAM failures, pre-auth scanning, protocol mismatches, kex negotiation drops. Patterns are synced from the dashboard — enable/disable per server without restarting the agent.
### Web Application Firewall
| Attack type | Score | Mode |
|---|:---:|---|
| RCE / Web shell / Shellshock | +50 | Score-based |
| Scanner UA (sqlmap, nikto, nmap, nuclei...) | +50 | Score-based |
| SQL injection / SSRF / Web exploit | +40 | Score-based |
| Honeypot trap (50+ decoy endpoints) | +40 | Score-based |
| Path traversal / Header injection | +30 | Score-based |
| WordPress brute force | +30 | Threshold (10 req / 2 min) |
| XSS / `.env` probe / XMLRPC | +25 | Score-based |
| Config probing / Scanner pattern | +20 | Score-based |
| 404 flood | +15 | Threshold (30 req / 5 min) |
Each detection adds points to a per-IP score. Scores decay at -5 pts/min. Action levels: **observe** (30) → **throttle** (60) → **block 1h** (80) → **blacklist 24h** (100+). All weights configurable per server.
### Bot management
70+ bot fingerprints (search engines, AI crawlers, SEO tools, scanners). Per-org policies: **allow** / **log** / **block**. Blocked bots are rejected at nginx/Apache level — connection closed before your app is reached.
### Malware scanner
- **Signature scanning** — 24 built-in patterns for webshells, backdoors, crypto miners, phishing kits
- **Hash matching** — 64,000+ known malware hashes from MalwareBazaar and Linux Malware Detect
- **YARA engine** — 229 web-relevant rules (uses yara CLI if installed, optional)
- **Framework detection** — auto-detects Laravel, WordPress, Django, Symfony, CakePHP, CodeIgniter, Node/Express, Rails, Joomla, Drupal
- **Framework security checks** — .env exposure, DEBUG mode, APP_KEY, loose permissions, Telescope, wp-config
- **Heuristic analysis** — Shannon entropy detection, timestamp anomalies in upload directories
- **System integrity** — `dpkg -V` / `rpm -Va` for modified binaries, rootkit indicators (ld.so.preload, hidden processes, /tmp executables)
- **Credential scan** — exposed .env files, SSH key permissions, .git in web root, cloud provider credentials
- **WP database scan** — injected scripts in posts/options, rogue admin users
- **Process detection** — running crypto miners, reverse shells, suspicious scripts from /tmp
- **Security posture score** — 0-100 (A-F grade) with breakdown by category
- **Quarantine** — move malicious files to `/var/lib/defensia/quarantine/` with restore capability
- **Scheduled scans** — configurable frequency, time, and intensity from the dashboard
- **Realtime watcher** — polls upload directories every 30s for new PHP files
- **False positive prevention** — WP core checksums, context-based severity, user allowlist with cross-network herd immunity
### ModSecurity inline WAF
- **Auto-detects** Apache + mod_security2 at startup (standard on cPanel/WHM)
- **14 static rules** — SQL injection, XSS, RCE, SSRF, path traversal, Shellshock, Log4Shell, Spring4Shell, scanner blocking
- **Blocks on first request** — ModSecurity intercepts before traffic reaches your application
- **IP ban rules** — banned IPs synced from dashboard to ModSecurity for HTTP-level blocking
- **Zero config** — automatically writes rules, configures Include, graceful reload (no downtime)
- **No impact** on servers without ModSecurity — falls back to iptables-only blocking
### And more
- **Mail & FTP protection** — Postfix, Dovecot, Pure-FTPD, MySQL brute force detection
- **Docker-aware** — auto-detects web containers, reads logs via bind mounts and volumes
- **GeoIP blocking** — block entire countries from the dashboard
- **Network ban propagation** — ban on one server applies to all your servers
- **Security scanner** — 30+ hardening checks with auto-remediation
- **Vulnerability scanning** — CVE matching via NVD + Exploit-DB, EPSS scoring
- **Monitor mode** — detect threats without blocking (new servers default to this)
- **System metrics** — CPU, memory, disk reported to dashboard
- **cPanel/WHM addon** — native sidebar integration with cPHulk and domlog auto-detection
---
## How it works
```
auth.log / web access logs / Docker logs / K8s ingress logs
│
▼
Log auto-detection
│ nginx -T / apachectl -S / docker inspect / K8s API
│ Resolves bind mounts, volumes, symlinks
▼
Watcher goroutines
│ Detect brute force, SQLi, XSS, SSRF, path traversal, web shells...
▼
Bot Scoring Engine (per-IP, decaying)
│
├─ < 30 pts → observe (log only)
├─ ≥ 30 pts → throttle
├─ ≥ 80 pts → block 1h
└─ ≥ 100 pts → blacklist 24h
│
▼
ipset add defensia-bans
│ Falls back to iptables -I INPUT -s -j DROP
│ ipset: 65K+ IPs · iptables fallback: 500 (FIFO rotation)
│
├──► POST /api/v1/agent/bans → dashboard
└──► WebSocket propagates ban to all your servers
```
The agent **never bans** reserved IPs, your server's own IPs, or the Defensia API endpoint — even if the backend sends a bad rule.
---
## Install
### Linux (recommended)
```bash
curl -fsSL https://defensia.cloud/install.sh | sudo bash -s -- --token
```
**Supported:** Ubuntu 20+, Debian 11+, CentOS 7+, RHEL 8+, Rocky, Alma, Amazon Linux 2023, Fedora
**Requires:** `iptables`, `systemd`, root access · **Recommended:** `ipset` (increases ban capacity to 65K+)
### Docker
```bash
docker run -d --name defensia-agent --restart unless-stopped \
--network host --pid host \
-v /var/log:/var/log:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v defensia-config:/etc/defensia \
-e DEFENSIA_TOKEN= \
ghcr.io/defensia/agent:latest
```
**Image:** `ghcr.io/defensia/agent` — multi-arch (amd64 + arm64), ~40MB
Docker Compose
```yaml
services:
defensia-agent:
image: ghcr.io/defensia/agent:latest
container_name: defensia-agent
restart: unless-stopped
privileged: true
network_mode: host
pid: host
environment:
- DEFENSIA_TOKEN=${DEFENSIA_TOKEN}
volumes:
- /var/log:/var/log:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- defensia-config:/etc/defensia
volumes:
defensia-config:
```
```bash
DEFENSIA_TOKEN= docker compose up -d defensia-agent
```
Docker Swarm (global service)
```bash
# Store token as a Docker secret
echo "" | docker secret create defensia_token -
# Deploy 1 agent per node
docker stack deploy -c docker-compose.swarm.yml defensia
```
See [docker-compose.swarm.yml](docker-compose.swarm.yml) for the full stack definition.
### Kubernetes (Helm)
```bash
helm install defensia-agent \
oci://ghcr.io/defensia/charts/defensia-agent \
--set config.organizationApiKey= \
--set config.serverUrl=https://defensia.cloud \
--namespace defensia-system --create-namespace
```
Deploys a **DaemonSet** — one agent per node (including control-plane). RBAC, tolerations, and resource limits pre-configured.
Custom values.yaml
```yaml
config:
organizationApiKey: "your-org-api-key"
serverUrl: "https://defensia.cloud"
clusterName: "production" # auto-detected if omitted
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
tolerations:
- operator: Exists # run on all nodes
```
```bash
helm install defensia-agent \
oci://ghcr.io/defensia/charts/defensia-agent \
-f values.yaml -n defensia-system --create-namespace
```
**Chart:** [Artifact Hub](https://artifacthub.io/packages/helm/defensia/defensia-agent) · Images signed with [Cosign](https://github.com/sigstore/cosign) · Helm chart with GPG provenance
### Uninstall
```bash
curl -fsSL https://defensia.cloud/install.sh | sudo bash -s -- --uninstall
```
---
## Configuration
Per-server WAF configuration
Each attack type can be independently configured from the dashboard (Server → Web Protection). Changes sync within 60 seconds.
- **Enable/disable types** — disable rules irrelevant to your stack (e.g. `wp_bruteforce` on a non-WordPress server)
- **Detect-only mode** — record events without banning
- **Custom thresholds** — override defaults for `wp_bruteforce`, `xmlrpc_abuse`, `scanner_detected`, `404_flood`
- **Custom score weights** — adjust points per detection type
`null` WAF config → all 15 types active with default thresholds (fully backward compatible).
Docker labels
Configure monitoring per container via Docker labels — no agent restart needed:
```yaml
services:
nginx:
image: nginx
labels:
defensia.monitor: "true"
defensia.log-path: "/var/log/nginx/access.log"
defensia.domain: "example.com,api.example.com"
volumes:
- /var/log/nginx:/var/log/nginx
```
| Label | Values | Effect |
|---|---|---|
| `defensia.monitor` | `true` / `false` | Force-include or exclude a container |
| `defensia.log-path` | Host path(s), comma-separated | Explicit log path (skips auto-detection) |
| `defensia.domain` | Domain(s), comma-separated | Associate domain names with logs |
| `defensia.waf` | `true` / `false` | Informational (WAF is controlled from the panel) |
**Priority**: `defensia.log-path` label > `nginx -T` auto-detection > bind-mount scan > `docker logs`.
Manual log path override
If auto-detection doesn't find your logs, set `WEB_LOG_PATH`:
```bash
sudo systemctl edit defensia-agent
```
```ini
[Service]
Environment="WEB_LOG_PATH=/var/log/httpd/access_log,/var/log/nginx/custom.log"
```
```bash
sudo systemctl restart defensia-agent
```
Environment variables
Stored in `/etc/defensia/agent.conf`:
| Variable | Description | Default |
|---|---|---|
| `DEFENSIA_TOKEN` | Agent auth token | *(from registration)* |
| `DEFENSIA_SERVER` | Panel server URL | `https://defensia.cloud` |
| `DEFENSIA_LOG_PATH` | Auth log file path | *(auto-detected)* |
| `DEFENSIA_HEARTBEAT` | Heartbeat interval (seconds) | `30` |
| `DEFENSIA_BAN_THRESHOLD` | Failed attempts before ban | `5` |
| `DEFENSIA_WS_ENABLED` | Enable WebSocket | `true` |
| `DEFENSIA_GEOIP_ENABLED` | Enable GeoIP lookups | `true` |
| `WEB_LOG_PATH` | Override web log paths | *(auto-detected)* |
---
## Troubleshooting
"Peer's Certificate issuer is not recognized" during install
Affects CentOS 7, RHEL 7, and systems with outdated `ca-certificates`:
```bash
curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /tmp/isrg.pem
export CURL_CA_BUNDLE=/tmp/isrg.pem
curl -fsSL https://defensia.cloud/install.sh | sudo bash -s -- --token
```
Agent shows 203/EXEC — service fails to start
Binary missing or corrupted. Restore from backup:
```bash
cp /usr/local/bin/defensia-agent.bak /usr/local/bin/defensia-agent
chmod 755 /usr/local/bin/defensia-agent
systemctl reset-failed defensia-agent && systemctl start defensia-agent
```
If `start-limit-hit`:
```bash
systemctl reset-failed defensia-agent
systemctl start defensia-agent
```
WAF not detecting attacks
Check which logs the agent is monitoring:
```bash
journalctl -u defensia-agent | grep webwatcher
```
If no logs found: your web server logs must be accessible on the host. For Docker web servers, bind-mount the log directory:
```yaml
volumes:
- /var/log/nginx:/var/log/nginx
```
More troubleshooting at [defensia.cloud/docs/troubleshooting](https://defensia.cloud/docs/troubleshooting).
---
## Architecture
```
┌─────────────────────────────────────────────────────────┐
│ Defensia Cloud │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌────────┐ │
│ │ Dashboard │ │ REST API │ │ WebSocket│ │ Threat │ │
│ │ (Vue 3) │ │ (Laravel)│ │ (Reverb) │ │ Intel │ │
│ └──────────┘ └──────────┘ └──────────┘ └────────┘ │
└───────────────────────┬─────────────────────────────────┘
│ HTTPS + WSS
┌───────────────┼───────────────┐
▼ ▼ ▼
┌─────────┐ ┌─────────┐ ┌─────────────┐
│ Agent │ │ Agent │ │ Agent (K8s) │
│ (VPS) │ │(Docker) │ │ (DaemonSet) │
└─────────┘ └─────────┘ └─────────────┘
SSH + WAF SSH + WAF + Ingress WAF +
+ GeoIP Docker detect Pod events +
+ Metrics + Container API audit
inventory
```
The agent is a single static Go binary (~12MB). No dependencies, no runtime, no garbage. Runs as `systemd` service, Docker container, or Kubernetes DaemonSet.
**Resource usage:** <1% CPU, <30MB RAM on a typical server.
---
## Changelog
See [CHANGELOG.md](CHANGELOG.md) for the full version history.
Recent highlights:
| Version | Highlight |
|---|---|
| v0.9.80+ | Kubernetes DaemonSet support, Helm chart, ingress WAF |
| v0.9.63 | Docker Swarm global service, Docker secrets |
| v0.9.62 | Docker labels (`defensia.monitor`, `defensia.log-path`, `defensia.domain`) |
| v0.9.50+ | Cumulative per-IP WAF scoring engine with configurable weights |
| v0.9.44 | Dynamic detection rules from dashboard (SSH patterns per server) |
| v0.9.42 | Monitor mode (detect without blocking) |
| v0.9.40 | Bot management with allow/log/block policies |
| v0.9.33 | ipset firewall backend (65K+ ban capacity) |
| v0.9.27 | Security scanner (30+ hardening checks) |
| v0.9.20 | Docker container detection and log discovery |
| v0.9.0 | Initial WAF: 15 OWASP attack types |
---
## Contributing
Contributions are welcome. Please [open an issue](https://github.com/defensia/agent/issues) before submitting large changes.
```bash
# Build
go build -o defensia-agent ./cmd/defensia-agent
# Run locally
./defensia-agent start
```
---
## Blog
- [I analyzed 250,000 attacks on my Linux servers. Here's what I found.](https://dev.to/defensia/i-analyzed-250000-attacks-on-my-linux-servers-heres-what-i-found-20o8) — Real data from 14 production servers: SSH brute force, RCE, env probing, path traversal, and more.
---
## License
[MIT](LICENSE) — use it however you want.
---
defensia.cloud · Built for developers who run their own servers