Hetzner Firewall blocks ports. But it cannot detect SSH brute force patterns, SQL injection in your web logs, or malware on disk. Defensia fills every gap Hetzner Firewall leaves open — on Cloud, dedicated, and Robot servers.
Secure your Hetzner server in 30 seconds →Hetzner is famous for exceptional price-to-performance ratios. Cloud servers start at EUR 3.29/month, and dedicated servers from EUR 39/month deliver hardware that rivals providers charging three times more. This makes Hetzner the go-to choice for European developers, startups, and self-hosters. It also makes Hetzner IP ranges a magnet for automated attack bots. If you are new to server hardening, our VPS security checklist is a good starting point.
sshd[4821]: Failed password for root from 185.220.101.7 port 43992 ssh2
sshd[4823]: Invalid user admin from 45.83.64.11 port 55120 ssh2
sshd[4825]: pam_unix(sshd:auth): authentication failure; rhost=103.145.13.90
sshd[4827]: Failed password for invalid user ubuntu from 92.118.39.18 port 22180
sshd[4830]: Disconnected from authenticating user root 45.83.64.11 port 38204 [preauth]
... thousands more today. Every Hetzner server gets this.
Affordable servers attract both developers and attackers. Hetzner's IP ranges are well-known, and automated botnets scan them continuously. A new Hetzner Cloud server receives its first SSH brute force attempt within 22 minutes of deployment. The average server sees 4,200+ attacks per day — failed password attempts, web vulnerability scans, credential stuffing bots, and port probes. Hetzner provides the infrastructure; protecting what runs on it is your responsibility.
Hetzner is an excellent infrastructure provider — reliable hardware, excellent network connectivity, and competitive pricing. But infrastructure security and host-level security are two different things. Here is what Hetzner provides natively and what it does not.
| Security layer | Hetzner | Defensia |
|---|---|---|
| Network firewall | Hetzner Firewall (free) | iptables/ipset (automatic, unlimited) |
| Firewall logs / traffic visibility | ✗ | Full event log + dashboard |
| SSH brute force detection | ✗ | 15 patterns, auto-ban |
| Web Application Firewall (WAF) | ✗ | 15+ OWASP types from nginx/Apache logs |
| Malware scanning | ✗ | 64K+ hash signatures + 684 patterns |
| CVE / vulnerability scanning | ✗ | NVD + EPSS + CISA KEV |
| DDoS protection | L3/L4 only (free) | L7 via WAF log analysis |
| Server monitoring | ✗ | Security events + attacks + posture score |
| Geoblocking | ✗ | 200+ countries at firewall level |
| Bot management | ✗ | 70+ fingerprints, per-policy |
| Real-time attack dashboard | ✗ | ✓ |
| Private networking (vSwitch) | ✓ | ✗ |
| Snapshot backups | ✓ | ✗ |
| Rescue mode / KVM console | ✓ | ✗ |
Credit where it is due: Hetzner provides free DDoS protection (L3/L4), private networking (vSwitch), rescue mode for recovery, KVM console access, snapshot backups, and SSH key authentication for Cloud servers. Their data centers in Germany, Finland, the US, and Singapore are well-connected and reliable. Defensia builds the security monitoring layer on top — the part Hetzner intentionally does not provide.
One command. Works on every Hetzner server — Cloud (CX, CPX, CCX, CAX lines), dedicated (Robot), and managed. Supports Ubuntu, Debian, Rocky Linux, AlmaLinux, Fedora, and CentOS. No packages to install, no dependencies, no configuration files. The agent auto-detects your operating system, log paths, and running services. Most Hetzner users run Debian or Ubuntu — Defensia handles both automatically.
# What happens on your Hetzner server:
1. Downloads the Go binary (~15MB) for your architecture (amd64 or arm64)
2. Installs to /usr/local/bin/defensia-agent
3. Creates a systemd service unit
4. Auto-detects SSH log path (/var/log/auth.log on Ubuntu/Debian, journald on Rocky/Alma)
5. Auto-detects nginx/Apache access logs if present
6. Starts protecting immediately — no config files to edit
Defensia works alongside Hetzner Firewall — they complement each other. Hetzner Firewall filters traffic at the network level before it reaches your server. Defensia detects attacks within the traffic that the firewall allows through. Keep Hetzner Firewall enabled to block unused ports, and let Defensia handle application-layer threats. The agent is a single Go binary with zero dependencies, uses under 30MB of RAM, and works on Cloud servers starting from EUR 3.29/month. Hetzner ARM servers (CAX line) are fully supported — the agent runs natively on arm64.
Six detection engines cover every attack surface on your server — from SSH to web applications to the filesystem.
Hetzner servers are prime targets — affordable hardware means high density of servers with default configurations. Defensia reads /var/log/auth.log (Ubuntu/Debian) or journald (Rocky/Alma/Fedora) and detects 15 SSH attack patterns: failed passwords, invalid users, pre-auth disconnects, PAM failures, and key exchange drops. Attackers are blocked within seconds via ipset.
Deep dive into SSH protection →Hetzner Firewall allows traffic on ports 80 and 443 — it has to. Defensia reads nginx and Apache access logs and detects SQL injection, XSS, path traversal, RCE, SSRF, shellshock, and 10+ more OWASP attack types within that allowed traffic. Zero configuration required — log paths are auto-detected.
See WAF detection details →Hetzner provides no file-level scanning. Defensia scans the filesystem with 64,000+ hash signatures and 684 dynamic patterns. Detects PHP backdoors in WordPress upload directories, obfuscated shells, cryptominers in /tmp and /dev/shm, and modified system binaries. Particularly important on Hetzner dedicated servers running shared hosting panels.
Matches installed packages (apt on Ubuntu/Debian, rpm on Rocky/Alma/Fedora) against the National Vulnerability Database. Each CVE is scored with EPSS exploit probability and flagged if it appears in the CISA Known Exploited Vulnerabilities catalog. Essential for Hetzner dedicated servers that may run for years without OS upgrades.
70+ bot fingerprints identified from User-Agent strings and request patterns. Legitimate bots (Googlebot, Bingbot) are allowed. Vulnerability scanners, credential stuffing bots, and scrapers are blocked or logged per your policy. Hetzner servers hosting multiple sites benefit especially from centralized bot management.
Continuous assessment of your server security: SSH configuration, firewall rules, file permissions, world-readable credentials, exposed .git directories, and weak key permissions. Scored 0-100 with A-F grade. Particularly useful for Hetzner dedicated servers where you manage the full OS stack.
Hetzner handles infrastructure — compute, networking, storage, DNS, and load balancers. Defensia handles host-level security — attack detection, automated blocking, malware scanning, vulnerability management, and real-time monitoring. Together, they form a complete stack at an unbeatable price point.
Defensia is not a replacement for Hetzner Firewall — it is the security layer that sits on top. Hetzner Firewall decides which ports are open. Defensia monitors what happens on those open ports and blocks malicious actors automatically. A Hetzner Cloud CX22 (EUR 3.79/month) plus Defensia Pro (EUR 9/month) gives you a fully secured server for under EUR 13/month — far less than managed security solutions from other providers.
Three steps: (1) Enable Hetzner Firewall to block unused ports. (2) Use SSH keys instead of password authentication — Hetzner Cloud supports adding keys at creation time. (3) Install Defensia with one command — curl -fsSL https://defensia.cloud/install.sh | sudo bash — to get SSH brute force protection, WAF, malware scanning, CVE detection, and a real-time dashboard. Defensia handles everything that Hetzner Firewall and SSH keys cannot.
Yes, they complement each other perfectly. Hetzner Firewall filters traffic at the network level before it reaches your server — blocking ports you do not need open. Defensia detects application-level attacks within the traffic that Hetzner Firewall allows through: SSH brute force on port 22, SQL injection on port 443, malware on disk. There is no conflict between them. Keep both enabled.
Yes. Defensia works on any Linux server with systemd and iptables — including Hetzner Robot dedicated servers. The install is the same one-command process. Dedicated servers benefit even more from Defensia because they often run for years, host multiple sites, and have larger attack surfaces than cloud instances.
Yes. The Defensia agent is compiled natively for both amd64 and arm64 architectures. Hetzner CAX servers (Ampere Altra ARM) are fully supported with the same one-command install. The agent auto-detects the architecture and downloads the correct binary.
Defensia is free for 1 server — includes SSH protection, the full real-time dashboard, and bot detection. Pro costs EUR 9/server/month (EUR 7 billed annually) and adds WAF, malware scanning, CVE intelligence, geoblocking, and alerts. A Hetzner CX22 (EUR 3.79/month) plus EUR 9 Defensia Pro is under EUR 13/month for a fully secured server.
Yes. If you run Kubernetes on Hetzner Cloud (via k3s, RKE2, or kubeadm), deploy Defensia via Helm chart as a DaemonSet — one agent per worker node. The agent monitors ingress controller logs for web attacks and scans for malware across the cluster. Hetzner does not offer managed Kubernetes, but Defensia works on any self-managed cluster.
Hetzner Firewall features (network-level, no logs, no application-layer inspection) based on official documentation: docs.hetzner.com/cloud/firewalls.
Hetzner Cloud pricing (CX11 from EUR 3.29/month, dedicated from EUR 39/month) based on hetzner.com/cloud and hetzner.com/dedicated-rootserver as of April 2026.
Hetzner data center locations (Falkenstein, Nuremberg, Helsinki, Ashburn, Hillsboro, Singapore) based on docs.hetzner.com/general/others/data-centers-and-connection.
Attack frequency and time-to-first-attack metrics based on Defensia telemetry data across production servers monitored from January to April 2026.
Hetzner DDoS protection (L3/L4, automatic) based on docs.hetzner.com/general/others/ddos-protection.
Complete guide for all Linux distributions.
Protect your Droplets and DOKS clusters.
Secure Vultr VPS across 32 locations.
15 detection patterns, ipset blocking.
OWASP attack detection from server logs.
Step-by-step hardening for any VPS.
One command. Under 30 seconds. Works on every Hetzner server — Cloud, dedicated, and ARM.
No credit card required. Free for 1 server.