Defensia reads your nginx and Apache access logs in real time. When it detects SQL injection, path traversal, RCE, or other OWASP attacks, it blocks the IP automatically — before they try again.
Try WAF Free →Every detection uses a cumulative scoring engine — repeated attacks from the same IP escalate the response.
| Attack Type | Default Score | Detection Method |
|---|---|---|
| RCE / Web Shell / Shellshock | +50 | Score-based |
| Scanner User-Agent (sqlmap, nikto...) | +50 | Score-based |
| SQL Injection | +40 | Score-based |
| SSRF | +40 | Score-based |
| Web Exploit (Spring4Shell, Log4Shell...) | +40 | Score-based |
| Honeypot Trap | +40 | Score-based |
| Path Traversal | +30 | Score-based |
| Header Injection | +30 | Score-based |
| WordPress Brute Force | +30 | Threshold (10 req / 2 min) |
| XSS | +25 | Score-based |
| .env Probe | +25 | Score-based |
| XMLRPC Abuse | +25 | Threshold |
| Config Probing | +20 | Score-based |
| Scanner Pattern | +20 | Score-based |
| 404 Flood | +15 | Threshold (30 req / 5 min) |
Score ≥ 80 → IP blocked for 1 hour · Score ≥ 100 → blacklisted for 24 hours. All thresholds configurable per server.
No inline proxy. No traffic redirection. Defensia reads your existing web server logs directly.
Runs nginx -T and apachectl -S to find all vhosts and log paths. Also detects logs inside Docker containers via bind mounts.
Each suspicious request adds points to the attacker's IP score. Repeated attacks escalate the score toward a block threshold.
When a score threshold is crossed, the IP is added to an ipset rule. The block is instant and propagated to all your servers.
Every attack type can be tuned per server. No config files on the server.
Turn off wp_bruteforce on non-WordPress servers. No restarts needed.
Set SQL injection to 80 for instant-block on first detection. Or set 404_flood to 0 to ignore it.
Log attacks without blocking. Useful for auditing before enforcement.
Override the req/min thresholds for wp_bruteforce, 404_flood, and xmlrpc per server.
A WAF monitors HTTP traffic and blocks malicious requests like SQL injection, XSS, and path traversal. Unlike traditional firewalls that only filter by IP/port, a WAF understands application-level attacks. Defensia's WAF reads your nginx or Apache access logs and detects 15+ OWASP attack types automatically.
No. Defensia reads nginx and Apache access logs directly — it doesn't need ModSecurity, OWASP CRS rules, or any inline proxy. The Go agent parses log entries in real time and scores each IP based on attack patterns. Zero configuration files.
SQL injection, cross-site scripting (XSS), path traversal, remote code execution (RCE), server-side request forgery (SSRF), shellshock, web shell uploads, XML external entity (XXE), HTTP request smuggling, and more — 15+ OWASP attack types in total.
No. Defensia's WAF runs as a separate Go process that reads server logs asynchronously. It never sits in the request path — requests are served by nginx/Apache at full speed. The WAF analyzes log entries after the fact and blocks attacking IPs via iptables.
The WAF is included in Defensia Pro at €9/server/month (€7 billed annually). The free plan includes SSH protection and the real-time dashboard but not the WAF.
One command installs the agent. WAF is included in the Pro plan.
See Pricing Start Free