GitHub ... Release ...

An ultra-lightweight Host-Based Security Orchestrator for Linux.

SysWarden (ver: v2.10) acts as a powerful alternative to eBPF/XDP, dropping 97% of threats directly at Layer 2/3. By fusing OSINT blocklists, GeoIP, ASN tracking, and a dynamic L7 WAF, it enforces strict Zero-Trust with near-zero CPU overhead.

Install SysWarden Read Documentation

Enterprise-Grade Features

SysWarden does not simply append rules to standard chains; it fundamentally alters the Linux networking stack to neutralize threats before they consume system resources.

Layer 2 Acceleration

Malicious packets are dropped at the NIC ingress hook (eBPF/XDP alternative), entirely bypassing kernel routing for zero CPU overhead during DDoS attacks.

Zero-Trust Cloaking

Hide your SSH port and administrative panels behind an invisible WireGuard VPN, dropping any unwhitelisted traffic silently (Catch-All).

Global Threat Intel

Block hostile countries (GeoIP), Cybercrime Hosters, and rogue Autonomous System Numbers (ASN) automatically at the hardware edge.

Dynamic L7 WAF

Behavioral defense protecting 51+ services (Docker, Nginx, Databases) against SQLi, LFI, and brute-force via heavily optimized Fail2ban jails.

ISO 27001 / NIS2

Smart SIEM forwarding: routes only high-value L7 behavioral bans to your SOC/SIEM (Wazuh), filtering out L3 noise to prevent index saturation.

The Fortress Dashboard (Web & CLI)

Monitor live threat telemetry, blocked OSINT IPs, and memory allocations without heavy databases. Or manage your infrastructure directly from the shell.

Accessible via https://<YOUR_SERVER_IP>:9999

Supported Environments

SysWarden is built to run flawlessly across modern Linux infrastructures:

Universal (systemd)

Debian 13+, Ubuntu 24.04+, AlmaLinux, Rocky Linux, CentOS Stream, Fedora.

Management & Auditing Tools

SysWarden comes with dedicated built-in utilities to maintain and verify your infrastructure's security lifecycle.

syswarden-manager.sh

The core administration utility. Use it to manually trigger threat-intel updates, manage your IP whitelists/blocklists, and check the firewall's operational status. 

./syswarden-manager.sh

syswarden-audit.sh

A comprehensive DevSecOps auditing tool designed to evaluate your server's security posture, analyze logs, and verify SysWarden's architectural integrity. 

./syswarden-audit.sh

Installation

1. Clone & Build 
git clone https://github.com/duggytuxy/syswarden.git
cd syswarden || exit
chmod +x build.sh
./build.sh
2. Execute Installer 
# Debian, Ubuntu, RHEL, AlmaLinux & Rocky Linux
cd dist/ || exit
./install-syswarden.sh
Quick Uninstall 
# "Scorched Earth" rollback (Requires no reboot)
./install-syswarden.sh uninstall

Automated Deployments (CI/CD)

For large-scale infrastructures and Infrastructure as Code (IaC) environments, SysWarden supports true zero-touch, unattended installations via the syswarden-auto.conf file.

  • Pre-define your custom SSH ports, WireGuard subnets, API keys, and target blocklists without requiring any interactive prompts.
  • Seamlessly integrate SysWarden into your CI/CD pipelines, Ansible playbooks, Terraform modules, or cloud-init bootstrap scripts.
  • Simply edit the config template and execute the installer:
Execute with Config 
cp syswarden-auto.conf dist/
cd dist/ || exit
./install-syswarden.sh syswarden-auto.conf

Documentation

To learn everything about the SysWarden ecosystem, explore detailed configurations, and read advanced usage guides, please visit our dedicated documentation page.

Read Official Docs

Target and Support

> €3,500/year to fuel continuous DevSecOps

Developing SysWarden and curating the zero-false-positive Data-Shield IPv4 Blocklists requires dedicated server infrastructure and non-stop threat monitoring.

Reaching this annual goal guarantees my 100% independence, funding a continuous development cycle without corporate constraints. Your support directly pays for the servers and keeps these enterprise-grade cybersecurity tools free, updated, and accessible to everyone.

Let's build a safer internet together!

Support on Ko-fi

Release Notes v0.34.7

Reversion Notice & Stability Update

UI Reversion

Rollback CLI Dashboard Rollback

Reverted the show_alerts_dashboard live module to its previous stable architecture.

The experimental dynamic whitelist parsing and on-the-fly CIDR evaluation logic introduced unexpected UI freezes and scope-resolution failures across different terminal environments.

Engine Stability

Stability Core Stability Restored

The threat intelligence tailing engine has been restored to its proven, linear log-multiplexing state.

This ensures zero data loss, flawless execution under strict set -e/set -u environments, and guarantees that the system returns to maximum reliability for real-time monitoring.

Deployment Instructions

Apply this rollback patch immediately using the standard orchestrator command to restore dashboard stability:

Update SysWarden 
# Upgrade existing installation with root privileges
sudo ./install-syswarden.sh upgrade