About the Project
SysWarden is an enterprise-grade, open-source firewall orchestrator designed to eliminate 98,2% of noisy, disruptive, and malicious internet traffic. Built around the Data-Shield IPv4 Blocklists community, it dynamically integrates GeoIP filtering, Spamhaus ASN blocking, and Fail2ban intrusion prevention.
What Does SysWarden Protect?
SysWarden acts as an advanced, preemptive orchestration layer for your infrastructure. By leveraging community-driven threat intelligence and dropping malicious traffic natively at the firewall level (Kernel-Space) before it ever reaches your applications, it provides a highly optimized, impenetrable shield for your exposed assets.
It is highly recommended for securing:
Public VPS & Bare Metal Servers
Defend your SSH ports, control panels, and core services against relentless brute-force campaigns and mass-scanning. SysWarden can even deploy a stealth WireGuard VPN to make your management interfaces completely invisible to the public internet.
Websites & CMS (WordPress, Nginx, Apache)
Instantly filter out bad bots, vulnerability scanners, and automated exploit attempts. By blocking threats at the network edge, your web servers preserve massive amounts of CPU and RAM for legitimate visitors.
Public APIs & SaaS Platforms
Protect your endpoints from aggressive data scrapers, automated abuse, and Layer 7 DDoS probes, ensuring your resources remain dedicated to real users and your SLAs stay intact.
Databases (MySQL, MongoDB, PostgreSQL)
Shield your data stores from credential stuffing, unauthorized access, and ransomware gangs using a formidable combination of massive static IP sets and dynamic Fail2ban intrusion prevention.
Dockerized & Critical Infrastructure
Automatically injects hermetic firewall rules directly into the DOCKER-USER chain, guaranteeing that your exposed containers are shielded from global threats without breaking internal routing.
By permanently silencing the internet's malicious "background noise", SysWarden ensures your infrastructure remains blazing fast, deeply secure, and focused entirely on serving real humans—while automatically reporting attackers back to the global community via AbuseIPDB.
Key Features
-
Strict SSH Cloaking (Zero Trust) Absolute policy enforcing SSH access exclusively via WireGuard (wg0) and Loopback.
-
Enterprise Nginx Dashboard Telemetry interface served via a hardened Nginx reverse proxy. Strictly enforces HTTPS with Zero Trust IP restrictions and advanced HTTP security headers.
-
Universal OS Support & Auto-Detection Seamlessly adapts to Debian, Ubuntu, CentOS, Fedora, AlmaLinux, Rocky Linux, and Alpine (OpenRC).
-
Intelligent Backend Routing Configures Nftables Flat Syntax, Firewalld Rich Rules, or IPSet depending on the host OS.
Objectives
-
Noise Reduction & Log Clarity Drastically reduce log fatigue and SIEM costs by dropping scanners at the network edge.
-
Resource Optimization Conserve CPU and RAM by dropping illegitimate packets natively in Kernel-Space.
-
Proactive Community Security Shift from Reactive to Proactive. Block IPs that attacked other servers minutes ago.
Architecture Workflow
SysWarden (DevSecOps Technology Stack) ├── Core Orchestration & Security │ ├── Bash Scripting # OS Hardening & Zero Trust Logic │ ├── Linux OS & Kernel # Broad Support (Debian, RHEL, Alpine) │ └── awk & jq # Semantic Validation & JSON │ ├── Firewall & Networking Engine │ ├── Nftables # Modern Packet Filtering (Atomic) │ ├── IPSet + Iptables # High-Performance Hashing (Fallback) │ ├── Firewalld # Dynamic Zone Management (RHEL) │ ├── Docker Integration # Native DOCKER-USER Chain Isolation │ └── WireGuard VPN # Stealth Management Interface │ ├── Active Defense & Daemons │ ├── Fail2ban # Dynamic IPS (Zero Trust Jails) │ ├── Rsyslog # Kernel/Auth Log Isolation │ ├── Nginx & OpenSSL # Hardened TLS Dashboard │ ├── Python 3 (Daemon) # Asynchronous AbuseIPDB Reporting │ ├── Systemd / OpenRC # OS-Specific Privilege Management │ └── Logrotate # Space Optimization │ └── Threat Intelligence & Integrations ├── Data-Shield IPv4 Blocklist # Primary Intel Source ├── Spamhaus / RADB # Dynamic ASN Validation ├── IPDeny # Geo-Blocking Data Sets ├── AbuseIPDB API # Community Attack Reporting └── Wazuh XDR Agent # SIEM & File Integrity Detection
/ (Inbound Network Traffic Flow) ├── Layer 1: Kernel-Space Shield (Preemptive Static Defense) │ ├── Orchestrator : Nftables / Firewalld / IPSet │ ├── Threat Intel : 100k+ Malicious IPs, Global GeoIP & ASN │ ├── Validation : Strict Semantic CIDR checking │ ├── Edge Routing : Handled natively (incl. Docker) │ └── Action : DROP packets silently │ └── Layer 2: User-Space Applications (Permitted Traffic) ├── Exposed Services & Proxies │ ├── Custom Ports (SSH, Web, Database, APIs) │ ├── WireGuard (Stealth Interface & VPN) │ └── Log Routing : Rsyslog isolated streams │ └── Layer 3: Active Response (Dynamic & Behavioral) ├── Fail2ban Engine (Zero Trust) │ ├── Monitor : Isolated Rsyslog files │ └── Action : Inject dynamic bans into backend │ ├── SysWarden Python Daemon │ ├── Monitor : Real-time Firewall drops & F2B │ └── Action : Report telemetry to AbuseIPDB API │ └── Wazuh XDR Agent (Optional) ├── Monitor : FIM & Critical System Events └── Action : Stream telemetry to Wazuh SIEM
1. Nftables + Fail2ban Synergy
SysWarden leverages modern Nftables Flat Syntax to inject massive sets (100k+ IPs). This static shield drops threats at Kernel level, reducing Fail2ban's CPU load to near-zero as it only processes logs for traffic that bypassed the blocklist.
2. Firewalld Orchestration (RHEL)
Programmatically defines permanent `ipset` types within Firewalld's native XML framework. Deploys high-priority Rich Rules committed directly to `/etc/firewalld/` for absolute persistence.
3. AbuseIPDB Reporting
An asynchronous Python daemon actively parses firewall drops and Fail2ban jails, securely reporting confirmed attackers back to the global AbuseIPDB platform to protect the community.
4. Wazuh XDR Integration
Fully automated deployment pipeline for the Wazuh Agent. Automatically injects Manager IP into `ossec.conf` and creates auto-whitelisting rules to ensure SIEM continuity.
Installation & Usage
# Ubuntu / Debian
apt update && apt install wget -y
# RHEL / AlmaLinux / Fedora
dnf update && dnf install wget -y
# Alpine Linux
apk update && apk add wget bashcd /usr/local/bin/
wget https://github.com/duggytuxy/syswarden/releases/download/v1.72/install-syswarden.sh
chmod +x install-syswarden.sh
./install-syswarden.sh
# Note: Use install-syswarden-alpine.sh for AlpineCreate syswarden-auto.conf and pass it: ./install-syswarden.sh syswarden-auto.conf
SYSWARDEN_ENTERPRISE_MODE="n"
SYSWARDEN_SSH_PORT=""
SYSWARDEN_WHITELIST_IPS=""
SYSWARDEN_ENABLE_WG="n"
SYSWARDEN_WG_PORT="51820"
SYSWARDEN_WG_SUBNET="10.66.66.0/24"
SYSWARDEN_USE_DOCKER="n"
SYSWARDEN_HARDENING="n"
SYSWARDEN_LIST_CHOICE="1"
SYSWARDEN_CUSTOM_URL=""
SYSWARDEN_ENABLE_GEO="n"
SYSWARDEN_GEO_CODES="ru cn kp ir"
SYSWARDEN_ENABLE_ASN="y"
SYSWARDEN_ASN_LIST="AS60068 AS30823 AS210644 AS200593..."
SYSWARDEN_USE_SPAMHAUS="y"
SYSWARDEN_ENABLE_ABUSE="n"
SYSWARDEN_ABUSE_API_KEY=""
SYSWARDEN_REPORT_F2B="y"
SYSWARDEN_REPORT_FW="y"
SYSWARDEN_ENABLE_WAZUH="n"
SYSWARDEN_WAZUH_IP=""
SYSWARDEN_WAZUH_NAME=""
SYSWARDEN_WAZUH_GROUP="default"
SYSWARDEN_WAZUH_COMM_PORT="1514"
SYSWARDEN_WAZUH_ENROLL_PORT="1515"CLI Orchestration Commands (install-syswarden.sh)
update
Force immediate refresh of blocklists natively to the kernel.
alerts
Launch Live Attack Dashboard in the terminal.
whitelist <IP>
Add a trusted IP to bypass all overarching blocklists.
blocklist <IP>
Permanently ban a specific IP address.
protect-docker
Inject hermetic rules into DOCKER-USER chain.
fail2ban-jails
Dynamically discover active services and reload Fail2ban jails without disruption.
wireguard-client
Generate a new WG client profile and QR code.
Day-2 Operations (syswarden-manager.sh)
A surgical administration tool to manage IPs in real-time across your persistent files, the Kernel Firewall, and Fail2ban jails without triggering heavy recompilations.
check <IP>
XDR diagnostic across Files, RAM, and jails.
unblock <IP>
Surgically purges IP from blocklist globally.
block <IP>
Hot-adds an IP to the active kernel drop set.
whitelist <IP>
Injects a top-priority ACCEPT rule.
allow-ssh <IP>
Allows direct SSH access (bypasses WG).
revoke-ssh <IP>
Revokes direct SSH access, enforcing VPN.
list
Displays a clean overview of IP registries.
reload
Safely triggers full background sync.
Continuous Compliance & Security Audit (syswarden-audit.sh)
A standalone Purple Team compliance script designed to verify that all DevSecOps security locks remain active and untampered post-installation.
OS Hardening & Log Routing
Validates crontab lockdowns, immutable flags on user profiles, and ensures isolated Netfilter/Auth logs have strict 0600 permissions.
Kernel Shield & Threat Intel
Verifies firewall prioritization and features context-aware configuration parsing to accurately validate GeoIP, ASN, and Spamhaus defenses.
Zero Trust Remote Access
Independently validates the strict Global SSH Drop (Priority Guillotine), WireGuard gateway readiness, and natively authenticates Day-2 bypasses.
Deterministic Scoring Engine
Utilizes flattened kernel-state buffer parsing to eliminate multi-line tearing, ensuring 100% deterministic, flake-free execution.
./syswarden-audit.shRelease Notes v1.86
Self-Healing Daemons & Nginx Hardening
Overview
SysWarden v1.86 introduces critical self-healing capabilities for core daemons and hardens Nginx configurations against fatal syntax errors. This release ensures zero-downtime reloads and refactors the main update execution flow to guarantee administrator access and flawless daemon recovery, with specialized optimizations for install-syswarden-slackware.sh.
Core Daemon Enhancements
[FIX] Nginx Fatal Syntax Prevention
Implemented a strict sanitization routine to actively strip hidden carriage returns (\r) from the whitelist.txt file. This prevents Nginx from crashing due to malformed allow directives when configuration files are edited via Windows environments.
[FIX] Zero-Downtime Nginx Reloads
Refactored the Nginx service restart logic across all OS platforms to prioritize nginx -t validation followed by a graceful nginx -s reload, preventing Address already in use (Port 9999) bind failures during continuous updates.
[FIX] Fail2ban Self-Healing Infrastructure
Engineered an auto-recovery mechanism within the configure_fail2ban routine. The script now detects and automatically regenerates missing native filters (e.g., nginx-http-auth, apache-auth, sendmail-auth) that might have been lost or purged, ensuring the daemon starts flawlessly without throwing missing-file fatal errors.
Execution Flow
Execution Flow Updates
[UPDATE] Update Execution Flow
Heavily revised the # === MAIN EXECUTION === logic for the update argument. Re-integrated the SSH, WireGuard, and Admin Whitelisting functions into the update flow to prevent administrator lock-outs. Explicitly added the configure_fail2ban trigger to ensure the new self-healing mechanisms and custom jails are applied during standard system updates.
Upgrade Instructions
To apply the v1.86 updates across all deployment pipelines, execute the standard update routine:
# For standard environments (Ubuntu/Debian/RHEL/AlmaLinux)
./install-syswarden.sh update
# For Alpine Linux environments
./install-syswarden-alpine.sh update
# For Slackware environments (Beta)
./install-syswarden-slackware.sh update