<p align="center"> <a href="https://github.com/duggytuxy/syswarden/actions/workflows/security-audit.yml"> <img src="https://github.com/duggytuxy/syswarden/actions/workflows/security-audit.yml/badge.svg" alt="SysWarden Security Audit"> </a> <img src="https://img.shields.io/badge/Open%20Source-100%25-brightgreen?logo=opensourceinitiative"> <img src="https://img.shields.io/badge/powered%20by-DuggyTuxy-darkred?logo=apachekafka"> <img src="https://img.shields.io/badge/Status-Community--Professional-brightgreen?logo=status"> <img src="https://img.shields.io/badge/Security-Hardened-blue?logo=security"> <img src="https://img.shields.io/badge/Platform-Debian%20%7C%20Ubuntu%20%7C%20AlmaLinux%20%7C%20RockyLinux%20%7C%20CentOS%20%7C%20Fedora%20%7C%20AlpineLinux-blue?logo=platform"> <img src="https://img.shields.io/badge/License-GNU_GPLv3-0052cc?logo=license"> <img src="https://img.shields.io/github/last-commit/duggytuxy/syswarden?label=Last%20Update&color=informational&logo=github"> </p> <div align="center"> <a href="https://duggytuxy.github.io/" target="_blank">Website</a> <span>&nbsp;&nbsp;•&nbsp;&nbsp;</span> <a href="https://github.com/duggytuxy/syswarden/issues">Issues Tracker</a> <span>&nbsp;&nbsp;•&nbsp;&nbsp;</span> <a href="https://www.linkedin.com/in/laurent-minne/" target="_blank">Linkedin</a> <span>&nbsp;&nbsp;•&nbsp;&nbsp;</span> <a href="https://tryhackme.com/p/duggytuxy" target="_blank">TryHackMe</a> <span>&nbsp;&nbsp;•&nbsp;&nbsp;</span> <a href="https://ko-fi.com/laurentmduggytuxy" target="_blank">Ko-Fi</a> <br /> </div> <p align="center"> <br /> <a href="https://ko-fi.com/L4L71HRILD" target="_blank"> <img src="https://ko-fi.com/img/githubbutton_sm.svg" alt="Support me on Ko-fi"> </a> <br /> </p>

SysWarden

SysWarden is an enterprise-grade, open-source firewall orchestrator designed to eliminate 98,2% of noisy, disruptive, and malicious internet traffic. Built around the Data-Shield IPv4 Blocklists community, it dynamically integrates GeoIP filtering, Spamhaus ASN blocking, and Fail2ban intrusion prevention. > Engineered for modern infrastructure, SysWarden provides hermetic Docker protection, automated AbuseIPDB reporting, and deploys a stealth WireGuard management VPN—all operating natively within the Linux kernel to guarantee maximum security with near-zero RAM consumption.

What Does SysWarden Protect?

SysWarden acts as an advanced, preemptive orchestration layer for your infrastructure. By leveraging community-driven threat intelligence and dropping malicious traffic natively at the firewall level (Kernel-Space) before it ever reaches your applications, it provides a highly optimized, impenetrable shield for your exposed assets.

It is highly recommended for securing:

• Public VPS & Bare Metal Servers: Defend your SSH ports, control panels, and core services against relentless brute-force campaigns and mass-scanning. SysWarden can even deploy a stealth WireGuard VPN to make your management interfaces completely invisible to the public internet.
• Websites & CMS (WordPress, Nginx, Apache): Instantly filter out bad bots, vulnerability scanners, and automated exploit attempts. By blocking threats at the network edge, your web servers preserve massive amounts of CPU and RAM for legitimate visitors.
• Public APIs & SaaS Platforms: Protect your endpoints from aggressive data scrapers, automated abuse, and Layer 7 DDoS probes, ensuring your resources remain dedicated to real users and your SLAs stay intact.
• Dockerized & Critical Infrastructure: Automatically injects hermetic firewall rules directly into the DOCKER-USER chain, guaranteeing that your exposed containers are shielded from global threats without breaking internal routing.
• Databases (MySQL, MongoDB, PostgreSQL): Shield your data stores from credential stuffing, unauthorized access, and ransomware gangs using a formidable combination of massive static IP sets and dynamic Fail2ban intrusion prevention.

By permanently silencing the internet's malicious "background noise", SysWarden ensures your infrastructure remains blazing fast, deeply secure, and focused entirely on serving real humans—while automatically reporting attackers back to the global community via AbuseIPDB.

Architecture

SysWarden (DevSecOps Technology Stack)
├── Core Orchestration & Security
│   ├── Bash Scripting             # OS Hardening, Automation & Zero Trust Logic
│   ├── Linux OS & Kernel          # Broad Support (Debian/Ubuntu, RHEL/Alma, Alpine)
│   └── awk & jq                   # Strict Semantic Validation & Atomic JSON Serialization
│
├── Firewall & Networking Engine
│   ├── Nftables                   # Modern Packet Filtering (Atomic Transactions)
│   ├── IPSet + Iptables           # High-Performance Hashing (Legacy Fallback)
│   ├── Firewalld                  # Dynamic Zone Management (RHEL Ecosystem)
│   ├── Docker Integration         # Native DOCKER-USER Chain Isolation
│   └── WireGuard VPN              # Stealth Management Interface & Dynamic Clients
│
├── Active Defense & Daemons
│   ├── Fail2ban                   # Dynamic IPS (Zero Trust Jails & Strict Anchoring)
│   ├── Rsyslog                    # Kernel/Auth Log Isolation (Anti-Injection Shield)
│   ├── Nginx & OpenSSL            # Hardened TLS Dashboard (Zero Trust & CSP)
│   ├── Python 3 (Daemon)          # Asynchronous AbuseIPDB API Reporting
│   ├── Systemd / OpenRC           # OS-Specific Service & Privilege Management
│   └── Logrotate                  # Log Maintenance & Space Optimization
│
└── Threat Intelligence & Integrations
    ├── Data-Shield IPv4 Blocklist # Primary Threat Intelligence Source
    ├── Spamhaus / RADB            # Dynamic ASN Routing Data Validation
    ├── IPDeny                     # Country-Level Geo-Blocking Data Sets
    ├── AbuseIPDB API              # Community Attack Reporting (Outbound)
    └── Wazuh XDR Agent            # SIEM, File Integrity & Vulnerability Detection

Key Features

• Strict SSH Cloaking (Zero Trust): Enforces a mathematically absolute policy for SSH. Access is exclusively restricted to the WireGuard VPN (wg0) and Loopback (lo) interfaces. An immediate, top-priority kernel DROP rule explicitly prevents any public access, ensuring that even locally whitelisted IPs cannot bypass the VPN requirement for SSH.
• Firewall State Machine: CLI commands (whitelist, blocklist) operate on a strict "Single Source of Truth" model. They securely write to local persistence files, universally purge memory conflicts, and trigger the orchestrator to completely rebuild the firewall safely, preserving the strict rule hierarchy across all OS backends.
• Universal OS Support: Auto-detects and seamlessly adapts to Debian, Ubuntu, CentOS Stream, Fedora, AlmaLinux, Rocky Linux, and Alpine Linux (OpenRC).
• Intelligent Backend Detection & Routing: Automatically selects and configures the optimal firewall technology present on your system (Nftables Flat Syntax, Firewalld Rich Rules, or IPSet/Iptables).
• Multi-Layer Threat Filtering: Instantly drops over 100,000+ known malicious IPs, restricts traffic from high-risk countries via GeoIP, and blocks rogue ASNs via Spamhaus/RADB.
• Hermetic Docker Isolation: Automatically secures exposed containers by injecting specialized rules into the DOCKER-USER chain without breaking internal bridge networking.
• Stealth Management VPN: Deploys a native WireGuard interface to hide your management ports from the public internet, including a built-in CLI orchestrator to instantly generate client profiles and QR codes.

Objectives

• Noise Reduction & Log Clarity: Drastically reduce log fatigue and SIEM ingestion costs (/var/log/auth.log, journalctl) by instantly dropping automated scanners, brute-forcers, and botnets at the network edge.
• Resource & Compute Optimization: Conserve critical CPU cycles, RAM, and bandwidth by dropping illegitimate packets natively in Kernel-Space rather than allowing user-space applications to process them.
• Proactive Community Security: Shift your infrastructure from a vulnerable "Reactive" stance to a fortified "Proactive" stance, preemptively blocking IPs that have attacked other community servers minutes ago.

Technical Deep Dive: Architectural Layering

A common concern among infrastructure engineers is that deploying massive static blocklists might conflict or create race conditions with dynamic Intrusion Prevention Systems (IPS) like Fail2ban. SysWarden elegantly resolves this through strict, sequential network layering.

Traffic Workflow

/ (Inbound Network Traffic Flow)
├── Layer 1: Kernel-Space Shield (Preemptive Static Defense)
│   ├── Orchestrator : Nftables (Atomic) / Firewalld / IPSet (Auto-detected)
│   ├── Threat Intel : 100k+ Malicious IPs, Global GeoIP & ASN Routing Data
│   ├── Validation   : Strict Semantic CIDR checking (Prevents Firewall Crashes)
│   ├── Edge Routing : Handled natively, including DOCKER-USER chain isolation
│   └── Action       : DROP packets silently before they ever reach User-Space
│
└── Layer 2: User-Space Applications (Permitted Traffic)
    ├── Exposed Services & Proxies
    │   ├── Custom Ports (SSH, Web, Database, APIs)
    │   ├── WireGuard    (Stealth Management Interface & VPN)
    │   └── Log Routing  : Rsyslog isolated streams (kern-firewall.log & auth-syswarden.log)
    │
    └── Layer 3: Active Response (Dynamic & Behavioral Defense)
        ├── Fail2ban Engine (Zero Trust)
        │   ├── Monitor : Isolated Rsyslog files (Log Injection Immunity & Strict Anchoring)