CentOS 7 reached end of life on June 30, 2024 — no more security patches, ever. Rocky Linux and AlmaLinux are the migration targets. Defensia protects all three, automatically handling the differences between EL7, EL8, and EL9.
Protect your EL server now →CentOS 7 reached end of life on June 30, 2024. That means zero security patches, zero bug fixes, and zero CVE responses from upstream. Yet millions of CentOS 7 servers remain online — running production workloads, exposed to the internet, accumulating unpatched vulnerabilities every day.
June 30, 2024 — CentOS 7 end of life. No more security patches from Red Hat.
CentOS Stream is not a replacement — it is a rolling release, midstream between Fedora and RHEL. Not suitable for production.
Every unpatched CVE on CentOS 7 is now permanent. OpenSSH, glibc, kernel — all frozen in time.
If you cannot migrate yet, you still need active security monitoring. That is what Defensia does.
When CentOS shifted to CentOS Stream, two community projects emerged to fill the gap. Both are enterprise-grade, both are free, and both are fully supported by Defensia.
Founded by Gregory Kurtzer, the original CentOS co-founder. Binary compatible with RHEL. Current versions: 9.7 and 10. Backed by CIQ and a large community. The spiritual successor to CentOS.
Maintained by the AlmaLinux OS Foundation (501c6 nonprofit), funded by $1M/year from CloudLinux. ABI-compatible with RHEL (not byte-for-byte). Current versions: 9.7 and 10.0. Includes the ELevate tool for in-place migration from CentOS 7.
Both distributions receive timely security patches from upstream RHEL. Both use dnf for package management, firewalld with nftables, SELinux enforcing by default, and journald for system logs. Defensia works identically on both.
The jump from EL7 to EL8/EL9 changed how servers log, manage packages, and handle firewalls. Defensia auto-detects all of this at install time.
| Component | EL7 (CentOS 7) | EL8/EL9 (Rocky/Alma) | Defensia |
|---|---|---|---|
| SSH log location | /var/log/secure | journald (no file) | Auto-detects both |
| Package manager | yum | dnf | Reads rpm database |
| Firewall | iptables (direct) | firewalld + nftables | Uses ipset (works with both) |
| SELinux | Enforcing | Enforcing | Compatible (different layer) |
| Init system | systemd | systemd | systemd service unit |
| Default Python | Python 2.7 | Python 3.9+ | No Python needed (Go binary) |
On EL8/EL9, /var/log/secure does not exist by default — SSH logs go to journald. Defensia's agent uses journalctl -f as a fallback when the log file is missing, so it works on both old and new systems without any configuration.
Every RHEL hardening guide lists the same steps. Here is what each covers and what Defensia automates with a single install command.
| Security step | Manual (EL guide) | Defensia |
|---|---|---|
| Configure firewalld rules | firewall-cmd + zones | Adds intelligent blocking on top |
| Block SSH brute force | yum/dnf install fail2ban + config | ✓ |
| Auto security updates | yum-cron or dnf-automatic | CVE scanning + alerts |
| Detect web exploits (WAF) | ModSecurity + OWASP CRS | ✓ |
| Scan for malware | yum install clamav + cron | ✓ |
| File integrity monitoring | aide --init + cron | ✓ |
| Rootkit detection | rkhunter --check | ✓ |
| Audit system activity | auditd rules + aureport | ✓ |
| CIS benchmark scanning | oscap + scap-security-guide | Security posture score (0-100) |
| Real-time attack dashboard | Not available | ✓ |
| Multi-server management | Not available | ✓ |
| Geoblocking by country | iptables + GeoIP database | ✓ |
| Slack / email / Discord alerts | Custom scripts | ✓ |
Manual hardening is essential but incomplete. firewalld blocks ports — it does not detect a bot trying 10,000 passwords on port 22. fail2ban handles SSH — it does not detect SQL injection in your nginx logs. rkhunter scans once — it does not watch for new web shells uploaded in real time. Defensia covers all of these from a single agent.
SELinux is enabled and enforcing by default on CentOS, Rocky Linux, and AlmaLinux. It provides Mandatory Access Control (MAC) — confining processes to only the resources they need. Defensia operates at a completely different layer.
Mandatory Access Control. Confines processes: Apache can only access its document root, SSH can only read its authorized_keys. Prevents privilege escalation after a breach. Does not detect or block incoming attacks.
Network IDS + WAF. Monitors SSH logs and web server access logs. Detects brute force, SQL injection, XSS, path traversal. Blocks attacker IPs via ipset before they can exploit anything SELinux would need to contain.
Keep SELinux enforcing. Install Defensia on top. SELinux contains damage after a breach; Defensia prevents the breach from happening. Different layers, maximum protection together.
Same command. Works on EL7, EL8, and EL9. Auto-detects everything.
# What happens on EL systems:
1. Downloads the Go binary (~15MB) for your architecture (amd64 or arm64)
2. Installs to /usr/local/bin/defensia-agent
3. Creates a systemd service unit
4. Auto-detects /var/log/secure (EL7) or journald (EL8/EL9)
5. Auto-detects nginx/Apache/httpd access logs if present
6. Starts protecting immediately — no config files to edit
The agent is a single Go binary with zero dependencies. It does not require Python, Ruby, or any runtime. Works alongside SELinux enforcing mode, firewalld, and any existing security tooling. The install script detects your EL version and ensures compatibility with iptables, ipset, and systemd.
The agent reads EL-specific log paths and system data to detect attacks across every surface.
CentOS 7 logs SSH events to /var/log/secure. Rocky/AlmaLinux 8/9 use journald by default. Defensia auto-detects which method your system uses and monitors 15 SSH attack patterns: failed passwords, invalid users, pre-auth disconnects, PAM failures, and kex negotiation drops.
Deep dive into SSH protection →Reads nginx, Apache, and httpd access logs to detect SQL injection, XSS, path traversal, RCE, SSRF, and 10+ more OWASP attack types. Auto-detects standard EL log paths including /var/log/httpd/ and /var/log/nginx/.
See WAF detection details →Scans the filesystem with 64,000+ hash signatures and 684 dynamic patterns. Detects PHP backdoors in upload directories, obfuscated shells, cryptominers, and suspicious executables in /tmp and /dev/shm.
Matches installed rpm packages against the NVD database with EPSS probability scores and CISA KEV urgency flags. Critical for CentOS 7 where packages will never be patched upstream.
70+ bot fingerprints identified from User-Agent strings and request patterns. Legitimate bots (Googlebot, Bingbot) are allowed; vulnerability scanners and credential stuffing bots are blocked.
If Docker is installed on your EL server, Defensia detects the Docker version, running containers, and web containers. Reads container logs for attack detection across all services.
Free tier covers the essentials. Pro adds deeper security intelligence.
15 patterns. Auto-reads /var/log/secure or journald.
OWASP attack detection from nginx/Apache/httpd logs.
Live event feed, charts, ban timeline, all servers in one view.
64K+ hash signatures. Web shells, cryptominers, rootkit checks.
Scans rpm packages against NVD + CISA KEV + EPSS scores.
Block entire countries at the firewall level. Per-server policy.
0-100 score (A-F grade). SSH, firewall, file perms, credentials.
70+ bot fingerprints. Allow, log, or block per policy.
Slack, email, Discord, and webhook notifications on attacks.
Yes. Defensia fully supports CentOS 7 even after its end of life. The agent reads /var/log/secure for SSH attack detection, uses iptables for blocking, and scans installed rpm packages for CVEs. While CentOS 7 will never receive upstream patches, Defensia provides active protection by detecting and blocking attacks in real time.
Yes. Rocky Linux 8 and 9 are fully supported. The agent auto-detects journald for SSH log monitoring (since /var/log/secure does not exist by default on EL8/EL9), uses ipset with iptables for blocking, and reads httpd/nginx access logs for WAF detection.
Yes. AlmaLinux 8 and 9 are fully supported. The agent works identically on Rocky Linux and AlmaLinux — both are EL-based distributions with the same log paths, package manager, and firewall configuration.
On EL8 and EL9 systems (Rocky Linux, AlmaLinux, CentOS Stream), /var/log/secure does not exist by default. SSH authentication events go to journald instead. Defensia detects this automatically and falls back to reading SSH logs from journalctl -f. No configuration needed.
Yes, keep firewalld running. firewalld handles static zone-based rules — which ports to open, which services to allow. Defensia adds dynamic, intelligent blocking on top: it detects attack patterns and blocks offending IPs via ipset. They work at different layers and complement each other. Defensia never modifies your firewalld rules.
Yes. The free plan includes 1 server with SSH protection, the full real-time dashboard, and bot detection. The agent is MIT licensed and open source on GitHub. Pro costs EUR 9/server/month (EUR 7 billed annually) and adds WAF, malware scanning, CVE scanning, geoblocking, alerts, and team management.
CentOS 7 end-of-life date confirmed by the CentOS Project at centos.org — official EOL: June 30, 2024.
Rocky Linux information from rockylinux.org. Founded by Gregory Kurtzer, CentOS co-founder.
AlmaLinux information from almalinux.org. 501(c)(6) nonprofit, $1M/year funding from CloudLinux.
EL7/EL8/EL9 differences based on Red Hat Enterprise Linux documentation (access.redhat.com).
Attack frequency and detection data based on Defensia telemetry across production EL servers monitored from January to April 2026.
Complete guide for all Linux distributions.
15 detection patterns, ipset blocking.
Full comparison: fail2ban vs Defensia.
Enterprise RHEL protection with Defensia.
WHM addon, cPHulk integration, multi-domain WAF.
Same protection, any Linux, fraction of the cost.
One command. Works on CentOS 7, Rocky Linux 9, and AlmaLinux 9.
No credit card required. Free for 1 server.