SysWarden is an Enterprise-grade Hardened Host Intrusion Detection & Prevention System (HIDS - HIPS) engineered in 100% Native Golang. Designed for critical Linux infrastructures, it enforces automated CIS Level 2 hardening, integrates global Threat Intelligence, and orchestrates dynamic network defense with absolute zero-trust execution.
It acts as a ruthless first line of defense. By fusing dynamic firewall orchestration (nftables/iptables/pf), global Threat Intelligence (Data-Shield IPv4/IPv6, GeoIP, ASN), a high-speed memory-safe WAF daemon (syswarden-core), and SIEM alert routing natively via Go, SysWarden neutralizes threats at the network (L2/L3/L4) and application (L7) levels without exposing your kernel to shell injection risks.
Important
Zero CWE Mitigation: Re-architected entirely in Go, SysWarden v2 strongly mitigates risks of OS Command Injection (CWE-78), Memory Corruption (CWE-119), and Resource Exhaustion (CWE-400), seamlessly accelerating your ISO 27001, NIS2, and CIS Benchmark compliance.
1. A "Next-Gen HIPS" (Host Intrusion Prevention System) At its core, SysWarden is a formidable HIPS. Unlike a traditional IDS (Intrusion Detection System) that merely alerts, SysWarden actively prevents attacks across multiple concrete OSI layers:
- Layer 2 (Data Link): ARP Request Rate-Limiting to instantly kill ARP Flooding/Spoofing attacks without breaking VRRP HA setups.
- Layer 3 & 4 (Network & Transport): Stateful IP, CIDR, ASN, and GeoIP filtering via the
inetfamily with explicit TCP Flag anomaly detection (e.g. killing invalid SYN/FIN/RST combinations). Includes a Zero-Trust Strict ALLOW Mode natively dropping any IP worldwide that isn't explicitly whitelisted via GeoIP or ASN. - Layer 7 (Application): Advanced WAAP (Web Application Firewall) inspecting payloads via Zero-Overhead Substring Matching for zero-day exploits (SQLi, XSS, LFI, RCE) and HTTP 401/403/404 Brute-Force tracking via the native Go
WAAPEngine.
2. A CWPP (Cloud Workload Protection Platform)
By natively integrating Docker protection (Layer 3 via the docker_protect chain and Layer 7 via the Aho-Corasick WAF), SysWarden secures modern workloads. Whether the server hosts a Traefik cluster, databases, or containerized APIs, SysWarden wraps the containers in a shield without ever breaking their internal routing. This perfectly mirrors the behavior of enterprise agents like CrowdStrike or Palo Alto Prisma Cloud on Linux servers.
3. An Embedded WAAP (Web Application and API Protection)
The legacy term "WAF" is increasingly replaced by "WAAP" as attacks aggressively target APIs. By specifically targeting Docker API abuse, authentication endpoints (Nextcloud, Proxmox, Gitlab), and application payloads (SQLi, RCE, LFI) via its syswarden-core Go engine, SysWarden acts as an embedded WAAP. It guarantees "Zero-Trust" even if the traffic is encrypted, by reading the access logs decrypted by your reverse proxy.
4. A Mini-SOAR (Security Orchestration, Automation, and Response) SysWarden doesn't just block. It manages its own Threat Intelligence (ingesting Data-Shield, ASN, GeoIP feeds), synchronizes bans across different enterprise servers via its HA (High Availability) clustering module, and natively forwards telemetry. It autonomously orchestrates the entire incident response lifecycle.
100% Go Native Orchestration (Zero-Shell Execution)
- Absolute Security: Deprecated all legacy Bash scripts. Firewall generation, Systemd provisioning,
and Telemetry operations are executed entirely in Go memory, utilizing native
os/execwrappers to eliminatebash -cvulnerabilities. - Strict CIDR Validation: Threat feeds are parsed mathematically using
net.ParseCIDR(), instantly destroying malformed payloads or metadata injections (CWE-20 mitigation). - Asynchronous Telemetry Worker: Replaced brittle system crons with native Go
sync.WaitGroupgoroutines. Telemetry and HA syncing run flawlessly in the background with strict memory leak prevention.
Insider Threat Detection & Honeyports (Zero-Trust)
- Shadow Mode: Prevents legitimate administrative lockouts. When malicious Web Application attacks (e.g. PrivEsc, RCE attempts) originate from whitelisted administrative IPs, SysWarden silently tags the event as a
SHADOW-ALERT. Legitimate admins are not banned, preventing disruption of service, while the SOC receives immediate notifications. - Native L3 Honeyports: Trap internal network scanners using
SYSWARDEN_HONEYPORTS. Expose decoy ports (e.g.6379,3306) seamlessly integrated into the kernel firewall. Whitelisted IPs attempting access trigger shadow alerts, while external malicious IPs are instantly banned. - Adaptive Hybrid Telemetry Engine: Natively bridges L7 WAF Logs using high-speed
rsyslogUDS sockets (Ubuntu/Debian) or seamlessly falls back to a nativesystemd-journald+ Direct File Tailing hybrid engine (Fedora/RHEL) ensuring zero blind spots across disparate enterprise OS architectures. - Layer 3/4 Catch-All Auditing: Enforces total visibility by securely logging any packet hitting the hardware drop threshold before execution, populating the real-time observability console (
syswarden alerts) with granular "Catch-All" traffic analytics.
Core Network Defense (Hardware & Layer 2/3)
- OSI Layer 2 (ARP): An isolated
arptable limits ARP requests to strictly mitigate network saturation floods natively. - OSI Layer 3 (IP/Routing): Native Go
net/httpclients securely download and sync hostile countries (GeoIP), cybercrime hosters, and rogue ASNs.
Stateful & Protocol Optimization (Layer 3/4)
- Implements UFW-grade stateful enforcement by silently destroying late
FIN-ACK/RSTpackets on expiredconntracksessions, and strictly blockingNEWconnections lacking theSYNflag. - Modern web protocols natively supported. As a Zero-Trust Overlay, SysWarden guarantees HTTP/3 QUIC survival without stateful interference on UDP traffic.
Application Security & Active Response (Layer 7)
- Protects 56+ vital services (Docker, Nginx, Databases) using the ultra-fast
syswarden-coreWAF daemon. - Multi-Tenant Docker WAF Bridge: Transparently streams access logs from Traefik and isolated ModSecurity containers directly into the native Go engine using an asynchronous
rsyslog(imfile/omuxsock) bridge. - Native WAAP (L7) Engine: Replaces Fail2ban entirely. Asynchronously parses raw access logs (Traefik, Nginx, Apache) in real-time. Detects advanced signatures (SQLi, XSS, LFI, RCE, Scanners) via Zero-Overhead Substring Matching for immediate blocking, and enforces native Nftables bans on abusive HTTP 401/403/404 attempts using memory-safe sliding-window tracking.
- Native SIEM integration (
syswarden-cliinjects directly torsyslogover TLS/UDP). - Sends critical bans securely to Discord/Teams webhooks natively, protected by
context.WithTimeoutagainst SSRF and deadlocks.
Observability & Lifecycle Management
- Monitor active threats via the Go-compiled SysWarden TUI (
syswarden-tui), a localized, high-speed interface requiring zero open web ports. - Manage your infrastructure via the unified
syswarden-cliorchestrator (e.g.,syswarden install,syswarden update,syswarden uninstall).
Note
For CISOs and CIOs (Strategic Impact): By offloading volumetric mitigation to the network edge and forwarding only high-fidelity behavioral data natively through Go, SysWarden drastically reduces SIEM ingestion costs and guarantees unbreachable operational continuity.
SysWarden dynamically adapts to the native firewall orchestration engines of modern enterprise Linux distributions. The architecture relies on deep systemd integration:
| Operating System | Native Firewall Engine(s) Supported | Status |
|---|---|---|
| Debian 13 / 12 | nftables, iptables |
Enterprise Ready |
| Ubuntu 24.04+ | ufw, nftables, iptables |
Enterprise Ready |
| RHEL 9+ | firewalld, nftables, iptables |
Enterprise Ready |
| Rocky Linux / AlmaLinux 9+ | firewalld, nftables, iptables |
Enterprise Ready |
| Oracle Linux 10+ | firewalld, nftables, iptables |
Enterprise Ready |
| Fedora 40+ | firewalld, nftables, iptables |
Production Ready |
| Alpine Linux 3.21+ | nftables |
Enterprise Ready |
| FreeBSD 14+ | pf (Packet Filter) |
Enterprise Ready |
SysWarden is exclusively distributed via standard package managers (.deb / .rpm).
The Go CLI and dependencies are automatically placed in /opt/syswarden/bin/, securely embedding the default configuration.
# 1. Fetch the latest release version automatically
VERSION=$(curl -s https://api.github.com/repos/duggytuxy/syswarden/releases/latest | grep '"tag_name":' | cut -d '"' -f 4)
V_NUM=${VERSION#v}
# 2. Download the appropriate package and its checksum
# For Debian/Ubuntu (amd64 & arm64)
wget https://github.com/duggytuxy/syswarden/releases/download/${VERSION}/syswarden_${V_NUM}_amd64.deb
wget https://github.com/duggytuxy/syswarden/releases/download/${VERSION}/syswarden_${V_NUM}_arm64.deb
# For RHEL/AlmaLinux/Rocky (x86_64 & aarch64)
wget https://github.com/duggytuxy/syswarden/releases/download/${VERSION}/syswarden-${V_NUM}-1.x86_64.rpm
wget https://github.com/duggytuxy/syswarden/releases/download/${VERSION}/syswarden-${V_NUM}-1.aarch64.rpm
# For Alpine Linux (x86_64 & aarch64)
wget https://github.com/duggytuxy/syswarden/releases/download/${VERSION}/syswarden_${V_NUM}_x86_64.apk
wget https://github.com/duggytuxy/syswarden/releases/download/${VERSION}/syswarden_${V_NUM}_aarch64.apk
# For FreeBSD 14+ (amd64)
wget https://github.com/duggytuxy/syswarden/releases/download/${VERSION}/syswarden-${V_NUM}.txz
# Also download the checksums
wget https://github.com/duggytuxy/syswarden/releases/download/${VERSION}/SHA256SUMS.txt
# 3. Verify Integrity
sha256sum -c SHA256SUMS.txt --ignore-missing
# 4. Install the package
# For Debian/Ubuntu
sudo apt-get install -y ./syswarden_${V_NUM}_*.deb
# For RHEL/AlmaLinux/Rocky
sudo dnf install -y ./syswarden-${V_NUM}-1.*.rpm
# For Alpine Linux
sudo apk add --allow-untrusted ./syswarden_${V_NUM}_*.apk
# For FreeBSD 14+
sudo pkg add ./syswarden-${V_NUM}.txz
# 4. Read the exhaustive SysAdmin manual to understand all Data-Shield lists and configuration parameters
sudo syswarden manual
# 5. Review and tailor the embedded configuration to your infrastructure
sudo syswarden config
# The interactive wizard (or syswarden-auto.conf) allows configuring advanced parameters, for example:
# - SYSWARDEN_ENABLE_L2="y" (Enable OSI Layer 2 ARP Spoofing Prevention)
# - SYSWARDEN_ARP_PROTECT="y" (Enable 10req/sec ARP Flood limits)
# - SYSWARDEN_LAN_MODE="y" (Enable Local LAN Mode to save RAM by skipping global OSINT downloads)
# - SYSWARDEN_BRUTEFORCE_LOGS="/var/log/traefik/access.log" (Enable L7 WAF log parsing)
# 5. Execute the Go Orchestrator to apply policies instantly
sudo syswarden installIf you modify the configuration later using syswarden config (e.g., to enable a SIEM, add a GeoIP block, or modify whitelists), apply the changes instantly without interrupting production traffic:
sudo syswarden reloadSysWarden provides comprehensive monitoring modes tailored for immediate action and long-term analysis. Both dashboards natively isolate and track ALLOWED (legitimate traffic) connections dynamically in bright green, making authorized services (e.g., successful SSH logins, Nginx/Apache 2xx requests) visually distinct from blocked threats.
A. Live Threat Streaming (Real-Time) To watch every single connection attempt (L2/L3/L4 structural drops, L7 WAF bans, and validated ALLOWED services) in real-time directly from the kernel and engine logs:
sudo syswarden alertsB. Telemetry Dashboard (TUI) To monitor global system health, metrics, top blocked ASNs, and observe real-time legitimate service activity, launch the integrated Terminal User Interface:
sudo syswarden tuiTo check for the latest Enterprise updates and perform an automated in-place upgrade (via GitHub Releases or APT):
sudo syswarden updateSafely reverse all OS hardening and kernel routing injected by SysWarden, reverting the machine to its native state in milliseconds:
sudo syswarden uninstallSysWarden v2 includes a comprehensive, native Golang CLI to orchestrate all firewalls and system checks directly without bash scripts.
DevSecOps Full Audit: Run a complete system compliance and integration check (Rsyslog bridges, Docker routing, WAF telemetry, Cron health):
sudo syswarden auditSysWarden provides an instantaneous, zero-delay CLI for incident response.
# Block or unblock an IP or CIDR Subnet instantly (e.g. 10.0.0.0/24)
sudo syswarden block <IP/CIDR>
sudo syswarden unblock <IP/CIDR>
# Whitelist an IP or CIDR globally (optional PORT)
sudo syswarden whitelist <IP/CIDR> [PORT]
sudo syswarden unwhitelist <IP/CIDR>
# Grant or revoke SSH-exclusive access
sudo syswarden allow-ssh <IP> [PORT]
sudo syswarden revoke-ssh <IP>
# Auto-detect and whitelist critical infrastructure (DNS, Gateway)
sudo syswarden whitelist-infraDiagnostics:
# Check if an IP is blocked, whitelisted, or active in memory
sudo syswarden check <IP>
# List all active custom rules
sudo syswarden listSysWarden natively supports High Availability (HA) clustering. When an attacker is blocked on one node (L3 or L7), the ban is instantly and securely replicated to all registered peers.
Starting with v3.51.0, the HA synchronization uses a "Zero-Touch" TLS P2P API, abandoning the legacy SSH-based sync. The syswarden-core daemon dynamically generates self-signed certificates and enforces strict Zero-Trust TCP IP validation.
Prerequisites:
- Both servers must have SysWarden installed and running.
- They must be able to communicate securely via a dedicated TCP port of your choice (default:
62026).
Tip
Zero-Touch Auto-Whitelist: The HA clustering engine natively and autonomously whitelists all configured SYSWARDEN_HA_PEER_IP nodes upon installation or reload. This eliminates the need for manual firewall interventions to allow the TLS P2P API traffic.
Configuration on each node:
- Edit your enterprise configuration via the secure CLI:
sudo syswarden config- Enable HA and add your peer IP(s) (comma-separated) and the custom TLS port:
SYSWARDEN_HA_ENABLE="true"
SYSWARDEN_HA_PEERS="172.x.x.x,10.x.x.x"
SYSWARDEN_HA_PORT="62026"- Reload the configuration instantly:
sudo syswarden reloadManual Synchronization:
While the syswarden-core daemon synchronizes in the background, you can also manually trigger a full blocklist push to all your peers at any time:
sudo syswarden ha-syncTo learn everything about the SysWarden ecosystem, explore detailed configurations, and read advanced usage guides, visit our official documentation page
Goal: 38.5% reached/year (Goal) to fund continuous DevSecOps improvements and infrastructure.
Developing SysWarden and maintaining the zero-false-positive Data-Shield IPv4 blocklists requires dedicated server infrastructure and non-stop threat monitoring.
Reaching this annual goal guarantees my 100% independence, funding a continuous development cycle without corporate constraints. Your support directly pays for the servers and keeps these enterprise-grade cybersecurity tools free, updated, and accessible to everyone.
Let's build a safer internet together!
SysWarden is free and open-source software distributed under the GNU General Public License v3.0 (GPLv3).
You are free to use, modify, and distribute this software in compliance with the license terms. LICENSE file for more details.
Developed and maintained by DuggyTuxy (Laurent M.).