The average Linux VPS receives its first attack within minutes of going online. Defensia detects and blocks them automatically — SSH brute force, web exploits, scanners, and more.
Install in 30 seconds →sshd: Failed password for root from 185.220.101.7 port 43992
sshd: Invalid user admin from 45.83.64.11 port 55120
nginx: 103.145.13.90 "GET /wp-login.php HTTP/1.1" 404
nginx: 91.108.4.30 "POST /../../../etc/passwd HTTP/1.1" 400
sshd: Failed password for ubuntu from 45.83.64.11 port 22180
… thousands more today
Linux powers 96% of the world's web servers. That makes it the #1 target for automated attacks. Botnets scan the entire IPv4 range in under 45 minutes, probing for open SSH ports, exposed databases, and unpatched web applications.
Most attacks are automated — bots don't care about your site size or traffic. They probe every server looking for easy wins: default credentials, unpatched software, and exposed admin panels. Without automated protection, you're relying on luck.
Attack vectors evolve every year. These are the most common threats Defensia detects right now.
The #1 attack vector. Bots try thousands of username/password combinations per hour. Default credentials like root:admin are tested within minutes of a server going online.
How Defensia blocks SSH attacks →SQL injection, XSS, path traversal, remote code execution, and server-side request forgery. Automated scanners probe every web server for these vulnerabilities 24/7.
See WAF detection details →Attackers install cryptocurrency miners that consume 100% CPU. Web shells in upload directories give persistent backdoor access. PHP malware hides in WordPress plugins and themes.
Hidden processes, modified system binaries, and ld.so.preload hooks. Rootkits persist across reboots and are invisible to standard monitoring tools.
MySQL, PostgreSQL, MongoDB, and Redis exposed to the internet with default credentials. Attackers dump data or use them as pivot points into your network.
Database protection details →Known vulnerabilities in OpenSSH, nginx, Apache, PHP, and system libraries. Attackers scan for specific CVEs and exploit them within hours of public disclosure.
Most compromised servers show no obvious symptoms. Here's what to look for:
Defensia's Security Score (0-100, A-F grade) continuously checks these indicators. The malware scanner detects cryptominers, reverse shells, and web shells in upload directories. See all detection capabilities →
Defensia monitors multiple attack surfaces simultaneously, with no configuration.
15 detection patterns covering failed passwords, invalid users, pre-auth scanning, PAM failures, and kex negotiation drops.
Deep dive into SSH protection →SQL injection, XSS, path traversal, RCE, web shells, shellshock, SSRF, and 8 more OWASP attack types from nginx/Apache logs.
See all WAF detection rules →Detects automated scanners (Shodan, Masscan, nmap) probing your services. Blacklists them before they find an open port.
70+ bot fingerprints. Per-policy: allow legitimate bots (Googlebot), log gray-area crawlers, block malicious scanners.
Decoy endpoints that only attackers visit. Any request to /backup.zip, /.git, /phpmyadmin triggers immediate high-score ban.
Dedicated detection for wp-login.php brute force, xmlrpc.php abuse, and plugin vulnerability probing.
File-level malware scanning with 64K+ hash signatures. Detects PHP backdoors, obfuscated shells, cryptominers, and suspicious executables in upload directories.
11 detection patterns for Postfix SASL, Dovecot IMAP, and Roundcube login brute force. Auto-detected from mail.log.
Email server protection details →A lightweight Go agent runs on your server, reads logs in real time, and applies firewall rules automatically.
# Architecture
auth.log + nginx/access.log + docker logs
│ Auto-detected. No config files.
▼
Watcher goroutines
│ Detect patterns in real time
▼
Scoring engine → each attack adds points to IP score
│ Score ≥ 80 → block 1h · Score ≥ 100 → blacklist 24h
▼
ipset add defensia-bans <IP> → firewall blocks instantly
│ 65,000+ concurrent bans with ipset
▼
POST /api/agent/bans → dashboard + all your other servers
Most hardening guides list 20+ manual steps. Defensia handles the critical ones out of the box.
| Security check | Manual | Defensia |
|---|---|---|
| Block SSH brute force attacks | fail2ban + config | ✓ |
| Detect web application exploits (WAF) | ModSecurity + rules | ✓ |
| Scan for malware & web shells | ClamAV + cron | ✓ |
| Monitor for CVE vulnerabilities | Manual apt audit | ✓ |
| Block by country (geoblocking) | iptables + GeoIP DB | ✓ |
| Real-time attack dashboard | Not available | ✓ |
| Multi-server ban propagation | Not available | ✓ |
| Detect exposed database ports | nmap + manual check | ✓ |
| Security posture score (0-100) | Lynis + manual review | ✓ |
| Rootkit detection | rkhunter + chkrootkit | ✓ |
| Slack / email / Discord alerts | Custom scripts | ✓ |
| Monitor Docker containers | docker logs + scripts | ✓ |
Free tier covers the essentials. Pro adds deeper security intelligence.
15 detection patterns. Blocks within seconds of attack start.
OWASP attack detection from nginx/Apache logs. Zero config.
Live event feed, charts, ban timeline, all servers in one view.
64K+ hash signatures. Web shells, cryptominers, rootkit checks.
Detects vulnerable packages and matches against CISA KEV catalog.
Block entire countries at the firewall level. Per-server policy.
0-100 score (A-F grade). SSH, firewall, file permissions, credentials.
70+ bot fingerprints. Allow, log, or block per policy.
Slack, email, Discord, and webhook notifications on attacks.
Requires: iptables + systemd + root access. Recommended: ipset.
It depends on your needs. For automated, zero-config protection that covers SSH, WAF, malware scanning, and CVE detection with a real-time dashboard, Defensia is purpose-built for that. For manual, granular control, tools like fail2ban (SSH only) or CrowdSec (requires YAML config) are alternatives. Defensia combines what would normally require 4-5 separate tools into one agent.
Install a tool that monitors authentication logs (auth.log, secure) and automatically bans IPs after repeated failures. Defensia detects 15 SSH attack patterns including failed passwords, invalid users, pre-auth drops, and PAM failures. It blocks attackers within seconds using ipset, supporting 65,000+ concurrent bans. No configuration files needed.
Yes. Every Linux server exposed to the internet receives automated attacks within minutes. A firewall alone (iptables/nftables) blocks ports, but doesn't detect application-level attacks like SQL injection or credential stuffing. Defensia adds intelligent detection on top of firewall rules — it reads your logs, scores each IP, and blocks attackers dynamically.
You can manually grep through auth.log and access.log, but that doesn't scale. Defensia provides a real-time web dashboard showing every attack, ban, and security event across all your servers. Live charts, event feed, ban timeline, and geographic distribution — all without touching a terminal.
Defensia includes a malware scanner with 64,000+ hash signatures and 684 dynamic detection patterns. It checks for PHP web shells in upload directories, cryptominers, reverse shells, suspicious executables in /tmp, modified system binaries, and rootkit indicators like ld.so.preload hooks. Scans run on schedule and results appear in the dashboard.
Ubuntu 20+, Debian 11+, CentOS 7+, RHEL 8+, Rocky Linux, AlmaLinux, Fedora 36+, and Amazon Linux 2023. The agent requires systemd, iptables, and root access. It also runs as a Docker container or Kubernetes DaemonSet via Helm.
The agent that runs on your server is MIT licensed and available on GitHub. It's written in Go and uses under 30MB of memory. The dashboard is a commercial SaaS with a free tier for one server.
Defensia is free for 1 server (includes SSH protection, dashboard, and basic features). Pro costs €9/server/month (or €7 billed annually) and includes WAF, malware scanning, CVE intelligence, geoblocking, bot management, and alerts. No cPanel or control panel license required.
15 detection patterns, ipset blocking.
OWASP attack detection from server logs.
Full comparison: fail2ban vs Defensia.
Docker, Swarm, and Kubernetes native.
Protect MySQL, PostgreSQL, MongoDB, Redis.
Postfix & Dovecot brute force protection.
One command. Under 30 seconds. Free for one server.
No credit card required.