AWS Security Groups filter network traffic. They cannot detect SSH brute force patterns, SQL injection in web requests, malware on disk, or CVEs in installed packages. You need host-level security too.
Install on Amazon Linux in 30 seconds →sshd[4821]: Failed password for root from 185.220.101.7 port 43992 ssh2
sshd[4823]: Invalid user admin from 45.83.64.11 port 55120 ssh2
GET /wp-login.php?action=register HTTP/1.1" 200 — SQL injection probe
POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" — RCE attempt
sshd[4830]: Disconnected from authenticating user ec2-user 92.118.39.18 port 22180 [preauth]
... Security Groups allow port 22 and 443. Everything above passes through.
Amazon Linux 2023 is based on Fedora with hardened defaults for EC2. AWS has made deliberate choices about what to include and what to leave out. Some of those gaps leave your instance exposed to attacks that Security Groups cannot prevent. Understanding these defaults is essential before you deploy to production.
Amazon Linux 2023 does not ship with rsyslog — SSH authentication events are only available through systemd-journald. This means traditional tools like fail2ban that rely on reading /var/log/secure will not work out of the box. You would need to install and configure rsyslog separately, then configure fail2ban jails — a process that defeats the purpose of choosing a "ready to use" AMI. There is no web application firewall, no malware scanner, no intrusion detection system, and no fail2ban equivalent. AWS expects you to handle host-level security yourself.
SELinux is enabled but runs in permissive mode by default. It logs policy violations to the audit log but does not enforce them. Switching to enforcing mode requires careful policy tuning for your specific workload. Meanwhile, there is no host firewall service running — AWS delegates that entirely to VPC Security Groups and NACLs, which operate at the network layer, not the application layer.
Amazon Linux 2023 has genuine security advantages over other distributions. These are not marketing claims — they are real hardening features that reduce your attack surface. Defensia adds the missing layers on top of these solid foundations.
Amazon Linux 2023 disables IMDSv1 and enforces IMDSv2 with session tokens. This blocks SSRF-based credential theft from the metadata service — a real attack vector that has led to major breaches on other distributions where IMDSv1 is still allowed.
Kernel updates can be applied without rebooting the instance. This eliminates the window where a known kernel CVE is exploitable because you are waiting for a maintenance window to reboot.
Only signed kernel modules can be loaded. Combined with kernel lockdown, this prevents rootkits from injecting malicious kernel modules — a common persistence mechanism on compromised servers.
Versioned repositories ensure that dnf update produces the same result regardless of when you run it. No surprise package changes, no broken dependencies. You control exactly which version set your fleet runs.
AWS Systems Manager agent comes pre-installed, enabling remote management, patching, and command execution without SSH. Defensia complements this by adding attack detection that SSM does not provide.
CIS benchmark profiles are available for compliance scanning via OpenSCAP. These measure configuration against security baselines. Defensia adds the runtime layer — detecting and blocking active attacks that pass compliance checks.
These kernel and infrastructure hardening features are excellent for reducing the attack surface. But they do not detect or block application-level attacks — SSH brute force, SQL injection, web shell uploads, or cryptominer infections. That is where Defensia fits in.
No dnf install prerequisites. No repository configuration. No rsyslog to install. Just one command:
# What happens on Amazon Linux 2023:
1. Downloads the Go binary (~15MB) for your architecture (amd64 or arm64 Graviton)
2. Installs to /usr/local/bin/defensia-agent
3. Creates a systemd service unit
4. Auto-detects journald for SSH logs (no /var/log/secure needed)
5. Auto-detects nginx/Apache access logs if present
6. Starts protecting immediately — no config files to edit
The agent is a single Go binary with zero dependencies. It does not require Python, Ruby, Java, or any runtime. Works on both x86_64 instances and ARM64 Graviton processors. The install script detects Amazon Linux 2023 automatically, reads SSH logs directly from journald instead of looking for /var/log/secure, and configures iptables and ipset for blocking. Compatible with both standalone EC2 instances and instances managed by SSM.
AWS offers several security services. They are powerful but expensive, complex to configure, and operate at different layers than host-level protection. Here is how they compare to Defensia for protecting an EC2 instance running Amazon Linux 2023.
| AWS Service | What it does | Limitation | Defensia |
|---|---|---|---|
| Security Groups | Network-level port filtering | Cannot inspect traffic content | Host-level log analysis + blocking |
| GuardDuty | Threat intel on VPC flow logs | $4/GB analyzed, detection only | Real-time detection + auto-blocking |
| Inspector | CVE scanning for packages | Per-assessment pricing, no WAF | CVE + WAF + malware + SSH |
| AWS WAF | HTTP filtering on CloudFront/ALB | $5/rule/mo + per-request fees | Server-level from logs, flat rate |
| Shield Standard | Basic DDoS protection | L3/L4 only, no app-layer | App-layer attack detection |
| SSM Patch Manager | Automated OS patching | No attack detection | Detection + blocking + patching alerts |
AWS security services are designed for large organizations with dedicated security teams. GuardDuty alone costs $4/GB of analyzed logs. Inspector charges per assessment. AWS WAF costs $5/rule/month plus per-request fees. Defensia costs a flat rate with no per-request or per-GB charges, and it runs directly on the instance — no CloudFront or ALB required for WAF protection.
The agent reads journald and web server logs to detect attacks across every surface of your EC2 instance.
Amazon Linux 2023 has no /var/log/secure — SSH logs go to systemd-journald only. Defensia reads directly from journald via journalctl, detecting 15 SSH attack patterns: failed passwords, invalid users (ec2-user, root, admin), pre-auth disconnects, PAM failures, and kex negotiation drops.
Deep dive into SSH protection →Reads nginx and Apache access logs to detect SQL injection, XSS, path traversal, RCE, SSRF, and 10+ more OWASP attack types. Works with any web server running on the EC2 instance — no ALB or CloudFront required.
See WAF detection details →Scans the filesystem with 64,000+ hash signatures and 684 dynamic patterns. Detects PHP backdoors in upload directories, obfuscated shells, cryptominers, and suspicious executables in /tmp and /dev/shm. Automatic quarantine to /var/lib/defensia/quarantine/.
Matches installed dnf/rpm packages against the NVD database with EPSS probability scores and CISA KEV urgency flags. Alerts you when a package on your Amazon Linux instance has a known exploited vulnerability.
70+ bot fingerprints identified from User-Agent strings and request patterns. Legitimate bots (Googlebot, Bingbot) are allowed; vulnerability scanners and credential stuffing bots are blocked automatically.
0-100 score (A-F grade) covering SSH configuration, firewall state, file permissions, exposed credentials, and rootkit indicators. Gives you a single number to track your EC2 instance security over time.
Defensia supports both current and legacy Amazon Linux releases on EC2.
Requires: iptables + systemd + root access. Recommended: ipset. Amazon Linux 2023 uses nftables under the hood — the agent uses the iptables compatibility layer automatically.
Looking for other distributions? Defensia also supports Ubuntu, Debian, CentOS, RHEL, Rocky Linux, AlmaLinux, and Fedora.
Free tier covers the essentials. Pro adds deeper security intelligence.
15 patterns. Auto-reads journald on Amazon Linux 2023.
OWASP attack detection from nginx/Apache logs. No ALB needed.
Live event feed, charts, ban timeline, all EC2 instances in one view.
64K+ hash signatures. Web shells, cryptominers, rootkit checks.
Scans dnf/rpm packages against NVD + CISA KEV + EPSS scores.
Block entire countries at the firewall level. Per-instance policy.
0-100 score (A-F grade). SSH, firewall, file perms, credentials.
70+ bot fingerprints. Allow, log, or block per policy.
Slack, email, Discord, and webhook notifications on attacks.
Yes. Defensia fully supports Amazon Linux 2023. The agent auto-detects that rsyslog is not installed and reads SSH authentication events directly from systemd-journald via journalctl -u sshd. No need to install rsyslog or create /var/log/secure. It also auto-detects nginx and Apache access logs for WAF protection.
Amazon Linux 2023 does not include rsyslog, so /var/log/secure does not exist. SSH logs go exclusively to systemd-journald. Defensia detects this automatically and reads SSH events via journalctl instead of tailing a log file. This works out of the box — no configuration needed, no rsyslog to install.
Yes, absolutely. Security Groups and Defensia operate at different layers. Security Groups filter network traffic at the VPC level — block unused ports, restrict SSH to your office IP. Defensia detects attacks within allowed traffic — brute force on port 22, SQL injection on port 443, malware on disk. Use both together for defense in depth.
GuardDuty analyzes VPC flow logs and CloudTrail for threat intelligence. It detects suspicious API calls and known-bad IPs but does not block anything — it only alerts. It costs $4/GB of analyzed logs. Defensia runs on the instance, detects attacks in real time from SSH and web logs, and blocks attackers automatically via iptables. It costs a flat EUR 9/server/month with no per-GB charges.
Yes. Amazon Linux 2 uses /var/log/secure for SSH logs (like CentOS/RHEL), and Defensia auto-detects this path. Note that Amazon Linux 2 reached end of life in June 2025 — AWS recommends migrating to Amazon Linux 2023. Defensia supports both during the transition.
Yes. The free plan includes 1 server with SSH protection, the full real-time dashboard, and bot detection. The agent is MIT licensed and open source on GitHub. Pro costs EUR 9/server/month (EUR 7 billed annually) and adds WAF, malware scanning, CVE intelligence, geoblocking, and alerts. Amazon Linux itself is free on EC2 — no per-hour OS licensing.
Amazon Linux 2023 default configuration and security features based on official AWS documentation: docs.aws.amazon.com/linux/al2023/ug/ (April 2026).
IMDSv2 enforcement, kernel hardening, and SELinux defaults verified against the AL2023 AMI release notes and AWS Security Blog.
AWS service pricing based on published AWS pricing pages for GuardDuty, Inspector, and WAF as of April 2026.
CVE and vulnerability data sourced from the National Vulnerability Database (NVD), CISA Known Exploited Vulnerabilities catalog, and EPSS scoring.
Complete guide for all Linux distributions.
Docker, ECS, and Kubernetes native.
OWASP attack detection from server logs.
Most popular cloud VPS distribution.
15 detection patterns, ipset blocking.
EKS, DOKS, and self-managed clusters.
One command. Under 30 seconds. Works on Amazon Linux 2023 and Amazon Linux 2.
No credit card required. Free for 1 server.