Listen to this Post
Introduction
Exposing a Linux server to the internet is like broadcasting your IP address on a hacker forum—automated scans, SSH brute-force attacks, and opportunistic botnets begin hammering your services within seconds of going live. SysWarden is an open-source, ultra-lightweight firewall orchestrator that integrates Data-Shield IPv4 blocklists (~98,000 malicious IPs), Geo-Blocking, Spamhaus ASN Drop lists, dynamic Fail2ban jails (up to 51 activated based on detected listening services), and WireGuard VPN into a single Bash script, capable of blocking 98–99% of malicious traffic in under ten minutes.
Learning Objectives
- Implement Defense-in-Depth: Learn to deploy SysWarden to create a multi-layered perimeter shield using nftables/firewalld, IP blocklists, and Fail2ban.
- Master Automated Firewall Orchestration: Understand how to use SysWarden’s interactive and automated modes (Ansible, Terraform, cloud-init) to harden VPS, Docker hosts, and bastion servers.
- Apply Zero-Trust Access Controls: Configure WireGuard to isolate administrative access and integrate ASN/GeoIP filtering to block traffic from high-risk regions and autonomous systems.
You Should Know
- Deploying SysWarden: Automated Firewall Orchestration in Under 10 Minutes
SysWarden automatically detects your Linux distribution’s firewall backend—using nftables with atomic transactions on Debian/Ubuntu, firewalld with rich rules and IPSets on RHEL/AlmaLinux, and injecting rules directly into the `DOCKER-USER` chain for containerized environments.
Step‑by‑Step Installation Guide
Prerequisites: A Linux server (Debian/Ubuntu or RHEL/AlmaLinux) with root access.
Step 1: Install Git and Clone the Repository
sudo apt update && sudo apt install git -y Debian/Ubuntu sudo yum install git -y RHEL/AlmaLinux git clone https://github.com/duggytuxy/syswarden.git cd syswarden
Step 2: Run the Interactive Installer
sudo bash syswarden.sh
The script will automatically:
- Detect your firewall backend (nftables/firewalld)
- Download and inject the Data-Shield IPv4 blocklist (~98,000 IPs) into the kernel
- Scan listening ports and activate only relevant Fail2ban jails (e.g., SSH, HTTP, FTP)
- Configure GeoIP blocking and Spamhaus ASN-DROP lists (optional)
- Set up a WireGuard VPN interface for isolated admin access
Step 3: Verify Deployment
Check nftables ruleset (Debian/Ubuntu) sudo nft list ruleset Check firewalld rich rules (RHEL/AlmaLinux) sudo firewall-cmd --list-rich-rules Verify Fail2ban jails sudo fail2ban-client status Check SysWarden audit (8-phase verification) sudo syswarden-audit
Step 4: Enable Automated Mode for DevOps
Create `/etc/syswarden/syswarden-auto.conf` for Ansible, Terraform, or cloud-init deployments:
Example auto-configuration BLOCKLISTS_ENABLED=1 GEOIP_BLOCK_COUNTRIES="CN,RU,KP,IR" ASN_BLOCK_ENABLED=1 WIREGUARD_ENABLED=1 FAIL2BAN_DYNAMIC=1
Then run:
sudo bash syswarden.sh --auto
Windows Admin Note: While SysWarden is Linux-native, Windows administrators can manage SysWarden-protected servers remotely using PowerShell with OpenSSH or WSL2:
From Windows Terminal with WSL2 Ubuntu wsl ssh user@your-server sudo syswarden-status
2. Dynamic Fail2ban Integration: Activating Only Relevant Jails
SysWarden scans your listening services and dynamically enables only the Fail2ban jails that match running daemons—from SSH and Nginx to Vaultwarden and Dovecot—preventing unnecessary resource consumption and log noise.
How Dynamic Jail Activation Works
SysWarden runs `ss -tuln` to detect listening ports, maps each port to a service (e.g., port 22 → sshd), and checks for existing Fail2ban jail configurations. It then creates symbolic links in `/etc/fail2ban/jail.d/` only for detected services.
Manual Fail2ban Configuration Example (SSH Jail)
Create `/etc/fail2ban/jail.local`:
[bash] enabled = true port = ssh filter = sshd logpath = %(sshd_log)s maxretry = 3 bantime = 1h findtime = 10m action = nftables[type=allports] For nftables backend
Testing Fail2ban Filters
Test regex against log file sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf Ban an IP manually for testing sudo fail2ban-client set sshd banip 192.168.1.100 Unban an IP sudo fail2ban-client set sshd unbanip 192.168.1.100
Advanced Recidive Jail for Persistent Offenders
Add to `jail.local`:
[bash] enabled = true logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 4w findtime = 1d maxretry = 5
This bans IPs that trigger multiple jails within 24 hours for four weeks.
- WireGuard Bastion: Hiding Administrative Access with Zero-Trust VPN
SysWarden optionally configures WireGuard to create a secure tunnel for administrative access, ensuring that SSH, databases, and internal dashboards are never exposed to the public internet.
Step‑by‑Step WireGuard Hardening Guide
Step 1: Install WireGuard
Debian/Ubuntu sudo apt install wireguard wireguard-tools -y RHEL/AlmaLinux (with EPEL) sudo dnf install epel-release -y sudo dnf install wireguard-tools -y
Step 2: Generate Server Keys
cd /etc/wireguard umask 077 wg genkey | tee server_private.key | wg pubkey > server_public.key
Step 3: Create WireGuard Configuration (`/etc/wireguard/wg0.conf`)
[bash] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = <SERVER_PRIVATE_KEY> PostUp = nft add rule inet filter input udp dport 51820 accept PostUp = nft add rule inet filter forward iifname wg0 accept PostDown = nft delete rule inet filter input udp dport 51820 accept PostDown = nft delete rule inet filter forward iifname wg0 accept [bash] PublicKey = <CLIENT_PUBLIC_KEY> AllowedIPs = 10.0.0.2/32
Step 4: Start WireGuard and Enable on Boot
sudo systemctl start wg-quick@wg0 sudo systemctl enable wg-quick@wg0
Step 5: Configure UFW/nftables to Restrict SSH to WireGuard Only
nftables: Allow SSH only from WireGuard subnet sudo nft add rule inet filter input iifname wg0 tcp dport 22 accept sudo nft add rule inet filter input tcp dport 22 drop UFW (RHEL): Allow only WireGuard subnet sudo ufw allow from 10.0.0.0/24 to any port 22
Client Configuration (Linux/macOS/Windows)
[bash] Address = 10.0.0.2/24 PrivateKey = <CLIENT_PRIVATE_KEY> DNS = 1.1.1.1 [bash] PublicKey = <SERVER_PUBLIC_KEY> Endpoint = <SERVER_PUBLIC_IP>:51820 AllowedIPs = 10.0.0.0/24, <YOUR_INTERNAL_NETWORKS> PersistentKeepalive = 25
4. Data-Shield IPv4 Blocklist: Leveraging Community Threat Intelligence
Data-Shield is a curated registry of IPv4 addresses identified as malicious, updated continuously, and maintained by SysWarden’s author Laurent M. With 557 GitHub stars, it provides vital threat intelligence to bolster firewalls and WAF instances.
Manual Integration Without SysWarden
Download the blocklist
wget https://raw.githubusercontent.com/duggytuxy/Data-Shield_IPv4_Blocklist/main/datashield_ipv4.txt
Import into nftables as an IPSet
sudo nft add set inet filter blacklist { type ipv4_addr\; flags interval\; }
while read ip; do sudo nft add element inet filter blacklist { $ip }; done < datashield_ipv4.txt
Add drop rule
sudo nft add rule inet filter input ip saddr @blacklist drop
OPNsense/Fortinet Integration
For OPNsense firewalls, add the raw URL as an external alias. For Fortinet devices, use the external blocklist feature under Security Profiles.
- Advanced Use Cases: VPS, Bastion, and Docker Host Hardening
SysWarden provides deployment profiles optimized for different scenarios.
Profile 1: Public-Facing VPS
- Enable Data-Shield blocklists, GeoIP blocking (e.g., block CN, RU, KP), and Spamhaus ASN-DROP.
- Activate Fail2ban for SSH, HTTP, and any detected web apps.
- Disable password authentication in
/etc/ssh/sshd_config:PasswordAuthentication no PermitRootLogin no
Profile 2: Secure Bastion Host
- Install SysWarden with WireGuard enabled and administrative SSH accessible only via the WireGuard tunnel.
- Configure `sshd` to listen only on the WireGuard interface:
ListenAddress 10.0.0.1
- Use `iptables` or `nftables` to drop all non-WireGuard traffic to port 22.
Profile 3: Docker Host Exposed to Internet
SysWarden automatically detects Docker and injects rules into the `DOCKER-USER` chain, protecting containers without interfering with Docker’s internal networking.
Verify Docker-specific rules sudo nft list chain inet filter DOCKER-USER
6. Troubleshooting and Post-Installation Audit
SysWarden includes an 8-phase audit to verify correct deployment.
Audit Commands
Run full audit sudo syswarden-audit Check individual components sudo nft list ruleset | grep -E "drop|reject" sudo fail2ban-client status sudo wg show sudo systemctl status nftables firewalld fail2ban wg-quick@wg0
Common Issues and Fixes
| Issue | Solution |
|-|-|
| Blocklists not loading | Check internet connectivity and GitHub raw URL access |
| Fail2ban jails not activating | Verify service is running and log files exist |
| WireGuard handshake failing | Ensure UDP port 51820 is open in cloud firewall |
| Docker containers unreachable | Check `DOCKER-USER` chain order (SysWarden rules must come before Docker’s) |
What Undercode Say
- Defense-in-Depth Is Non-Negotiable: SysWarden demonstrates that effective perimeter security requires orchestration—not just a single tool. Combining kernel-level filtering, threat intelligence feeds, reactive banning, and VPN isolation creates a resilient shield against automated threats.
- Open Source Community Innovation Matters: With a solo developer maintaining both SysWarden and the Data-Shield blocklist (557 stars), this project proves that focused, community-funded open-source security tools can rival commercial offerings in both effectiveness and efficiency.
- Automation Bridges the Skills Gap: SysWarden’s ability to deploy enterprise-grade hardening in under 10 minutes—with Ansible/Terraform support—lowers the barrier for DevOps teams and solo sysadmins alike.
Prediction
As cloud adoption accelerates and edge devices proliferate, perimeter-based security tools like SysWarden will become critical for reducing attack surfaces. The trend toward lightweight, orchestrated firewall solutions that integrate real-time threat intelligence (IP blocklists, ASN data) will likely converge with AI-driven anomaly detection, creating self-healing network perimeters. SysWarden’s GPL-3.0 licensing and community funding model may inspire similar projects, challenging commercial SIEM and IDS vendors to justify their complexity and cost for basic network noise filtration.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Stephanerobert1 Linux – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
