Single‑binary edge guardian · security + site health · Linux · nftables

Calm until something happens.

Q: How do I install Edge Guardian?

Run the one-line installer (curl -fsSL .../install.sh | sudo bash), install the .deb or .rpm package, or run the Docker image. Edge Guardian starts in dry-run mode so it observes and alerts before it blocks.

Edge Guardian reads your logs to do two things: ban the bad traffic — scanners, brute‑force, exploits — at the firewall, and watch each site's health (5xx, latency, traffic), alerting the moment something degrades. A dashboard ships free. One static binary. One line to install.

$ curl -fsSL https://raw.githubusercontent.com/sondt/edge-guardian/main/install.sh | sudo bash

Star on GitHub ★

△ single static binary △ no database, no agent △ nftables native △ dry‑run safe start △ Apache‑2.0

The problem

Every public server is under constant fire.

The moment a box has an IP, bots start probing it — looking for forgotten admin panels, leaked secrets, and weak SSH passwords. The tools that fight back all make you choose between too fiddly and too heavy.

/wp‑login.phpdrop

/.envdrop

/.git/configdrop

?id=1' OR 1=1drop

UA: sqlmap/1.7drop

sshd: 5× faildrop

:23 honeypotdrop

fail2ban

Lightweight and proven — but only sees one host, leans hard on regex rules, and gets awkward the moment you have more than one box. No dashboard.

CrowdSec

Powerful, with community blocklists — but you're learning an agent, a local API, a bouncer, and collections. And the pretty console? That's the paid part.

Why Edge Guardian

Two jobs, from one log tail.

The same stream that catches attackers also tells you when a site is in trouble. Block the bad traffic, and know the moment something breaks — without a second tool, a database, or an agent.

Block the bad traffic.

Scanners, brute‑force, exploit probes and floods — matched against a sliding window and dropped at the kernel via nftables. Repeat offenders escalate.

HTTP scanners, SSH brute‑force, exploit signatures, bad bots, rate‑abuse, port scans & honeypots
nftables bans with auto‑expiry; escalating punishment for repeat offenders
Import FireHOL & Spamhaus blocklists; CIDR allowlist so you never self‑lock
Dry‑run mode — detect & alert without blocking, so you trust it before you arm it

See when a site breaks.

The same access log feeds a health view: per‑site error rate, latency and traffic. It alerts when a site is degraded or down — and again when it recovers.

5xx ratio, p95 latency & request rate per site, on a /sites page
Degraded / down / recovered alerts with sustained + cooldown — no spam
A free embedded dashboard: the Sentinel line, ban ledger, live feed
Answers “is anything wrong?” — never “who's viewing what” (not analytics)

Detection · enforcement · health · alerting

Enough to actually run a server on.

DETECT · HTTP

Scanner paths

Regex on request URIs — the .php/.env/wp‑login probes a clean stack never serves. Ban on the first hit.

DETECT · SSH

Brute‑force

Counts failed logins from auth.log / journald. Injection‑hardened so a crafted username can't frame an innocent IP.

DETECT · EXPLOIT

Attack signatures

SQLi, path traversal, RCE probes & Log4Shell in the URI. Off by default, anchored to keep false positives near zero.

DETECT · BOTS

Bad‑bot UA

Bans known scanner user‑agents — sqlmap, nikto, nuclei, masscan, wpscan — that have no honest reason to call you.

DETECT · FLOOD

Rate abuse

Counts every request per IP and bans a DoS‑lite flood. High‑threshold and allowlist‑aware so real clients pass.

DETECT · NETWORK

Port scan

Counts distinct destination ports per IP via nftables logging. Hammering one port isn't a scan; sweeping many is.

DETECT · TRAP

Honeypot ports

Touch a decoy port, get banned instantly. The highest‑quality signal there is — no legitimate reason to knock.

HEALTH

Site healthnew

Per‑site 5xx ratio, p95 latency & request rate — sites discovered from nginx -T. Alerts on degraded / down / recovered, with a /sites view.

ENFORCE

nftables bansescalating

Dropped at the kernel via a timeout set. Repeat offenders are punished harder: a day, a week, a month, forever.

INTEL

Public blocklists

Import FireHOL & Spamhaus DROP into an nftables interval set — block known‑bad ranges before they ever reach you.

ALERT

Telegram & Email

Real‑time on every ban and every health alert, to all channels at once. Email via Resend. Country & ASN when GeoIP is on.

GEO

Offline GeoIP

Country, region & ISP from local MMDB files — works with the free sapics databases, no MaxMind account.

SAFE

Allowlist & dry‑run

CIDR allowlist for your office, VPN & monitoring. Dry‑run to observe for days before you flip the switch.

HEALTH · ERRORS

Error lognew

Every 4xx/5xx request in one place — host, path, status, IP, user‑agent and GeoIP origin — filterable and paginated on a /errors page.

OPS

Auto‑updatenew

An optional systemd timer keeps the binary current from GitHub releases — binary‑only, with a safe restart. Off by default.

How it works

One tail. Two branches.

Every line fans out twice: the security branch matches bad traffic and bans it; the health branch counts per‑site status, latency and rate, and alerts on trouble. Adding a detector is a parser and a threshold — never a rewrite.

Tail

nginx, sshd & kernel logs — one read, fans out to both branches.

Detect

Parse the source IP, match against a sliding window + threshold.

Allowlist?

Your CIDRs are never touched. The last line of defense against self‑lockout.

Ban

Add to the nftables set with a timeout. Dropped on every port, instantly.

Notify

Bans and health alerts — Telegram, email, the dashboard feed & Sentinel line.

The wedge

See who's hitting you — and what's breaking.

A calm instrument that stays quiet until it matters. When the Sentinel line spikes red, or a site turns degraded, it means something. This ships in the free binary — no Grafana, no paywall.

△ Edge Guardian

Under scan edge‑01

Banned

142

Events · 24h

1,883

Site health

1 degraded

By type

http 71%

Recent

refreshes every 5s

09:41:18yourdomain.comhealth · 5xx 12.4% · p95 1.8sdegraded

09:41:02185.220.101.5http · /wp‑login.php · DEbanned

09:40:5592.118.39.10exploit · ?id=1' OR 1=1 · RUbanned

09:40:4845.13.22.7badbot · sqlmap/1.7 · USbanned

09:40:31103.74.19.88sshd · invalid user root · VNwould‑ban

Install

Up and watching in a minute.

Starts in dry‑run, so it observes without blocking until you're ready. Then flip one line.

One line

Detects your arch, installs the binary + systemd unit, and initializes nftables.

# Linux, needs nftables + root
curl -fsSL https://raw.githubusercontent.com/sondt/edge-guardian/main/install.sh \
  | sudo bash

.deb / .rpm

Native packages for amd64 & arm64. Config is a conffile — safe across upgrades.

# Debian / Ubuntu
sudo apt install ./edge-guardian_0.4.4_linux_amd64.deb
# RHEL / Rocky / Fedora
sudo dnf install ./edge-guardian_0.4.4_linux_amd64.rpm

Docker

Protects the host firewall via the host network namespace.

docker run -d --name edge-guardian \
  --network host --cap-add NET_ADMIN \
  -v /etc/edge-guardian:/etc/edge-guardian \
  ghcr.io/sondt/edge-guardian

In a glance

How it stacks up.

	Edge Guardian	fail2ban	CrowdSec
Single static binary	Yes	—	—
One‑line install	Yes	pkg	script + repo
Dashboard in the free tier	Yes	—	paid / DIY Grafana
HTTP + SSH + port‑scan + honeypot	Yes	via rules	scenarios
Exploit + bad‑bot + rate‑abuse	Yes	DIY rules	scenarios
Per‑site health monitoring	Yes	—	—
nftables‑native enforcement	Yes	backend	bouncer
Public blocklist import	Yes	—	community
No external service to run	Yes	Yes	local API

Questions

Straight answers.

What is Edge Guardian?

Edge Guardian is a free, open-source, single-binary edge guardian for Linux. From one log tail it does two things: security — detect scanners, brute-force and exploits, then ban the source IPs at the nftables firewall — and edge health — watch each site's 5xx ratio, latency and request rate, and alert when a site is degraded or down. It alerts via Telegram or email and ships with a built-in local dashboard.

How is Edge Guardian different from fail2ban and CrowdSec?

fail2ban is regex-heavy, only sees one host, and has no dashboard. CrowdSec is powerful but requires an agent, a local API, a bouncer, and collections — and its dashboard is a paid feature. Edge Guardian is a single static binary with a one-line install, a dashboard included free, and it also monitors site health — not just security.

What does Edge Guardian detect?

HTTP scanner paths, SSH brute-force, exploit signatures (SQLi, path traversal, RCE probes, Log4Shell), bad bots by User-Agent (sqlmap, nikto, nuclei, masscan), rate-abuse / DoS-lite floods, port scans (distinct destination ports per IP), and honeypot-port hits. It can also import public blocklists such as FireHOL and Spamhaus.

Does it monitor site health, not just attacks?

Yes. The same access log feeds a health branch that aggregates per-site status mix, 5xx error ratio, request rate and p95 latency, and alerts (with sustained + cooldown to avoid noise) when a site is degraded or down — and again when it recovers. It deliberately does not do web analytics: it answers “is anything wrong?”, not “who is viewing what?”.

Is Edge Guardian free?

Yes. Edge Guardian is free and open source under the Apache-2.0 license — including the dashboard and the health monitoring.

What does Edge Guardian need to run?

A Linux server with nftables (Debian 11+, Ubuntu 20.04+, RHEL 9+ or equivalent) and root or CAP_NET_ADMIN. No database, no agent, and no external service are required.

How do I install Edge Guardian?

Run the one-line installer (curl -fsSL .../install.sh | sudo bash), install the .deb or .rpm package, or run the Docker image. Edge Guardian starts in dry-run mode so it observes and alerts before it blocks.

Drop it on a box.
Forget about scanners.

Free, open source, and built to stay out of your way until something actually happens.