RHEL powers 90%+ of Fortune 500 Linux deployments. SELinux and Insights are solid foundations — but they do not block SSH brute force, detect web application attacks, or scan for malware in real time. Defensia adds the active defense layer.
Install on RHEL in 30 seconds →Red Hat Enterprise Linux is the gold standard for enterprise Linux. SELinux enforcing by default, CIS benchmarks via scap-security-guide, firewalld with nftables, and Red Hat Insights for cloud-based compliance scanning. It is the most security-conscious distribution out of the box.
But none of these detect active attacks in real time. SELinux confines processes after a breach — it does not prevent the breach. Insights scans for misconfigurations — it does not block a bot trying 10,000 SSH passwords. firewalld opens or closes ports — it does not detect SQL injection on an open HTTP port. You need an active layer that watches, detects, and responds.
Red Hat Insights is a cloud SaaS included with every RHEL subscription. It provides CVE scanning, compliance checks (OpenSCAP), malware detection (IBM X-Force + YARA), and Ansible-based remediation playbooks. Defensia operates at a different layer — they complement each other.
| Capability | Red Hat Insights | Defensia |
|---|---|---|
| CVE scanning | ✓ | ✓ |
| Compliance scanning (OpenSCAP) | ✓ | Security posture score |
| Malware detection | IBM X-Force + YARA | 64K+ hashes + 684 patterns |
| Ansible remediation playbooks | ✓ | ✗ |
| SSH brute force detection & blocking | ✗ | ✓ |
| Web Application Firewall (WAF) | ✗ | ✓ |
| Real-time attack dashboard | ✗ | ✓ |
| Automated IP banning | ✗ | ✓ |
| Geoblocking (200+ countries) | ✗ | ✓ |
| Bot management (70+ fingerprints) | ✗ | ✓ |
| Multi-server management | ✓ | ✓ |
| Requires RHEL subscription | ✓ | ✗ |
| Works on any Linux | ✗ | ✓ |
| Price | Included with RHEL | Free (1 server) |
Red Hat Insights finds what is misconfigured and vulnerable. Defensia blocks what is actively attacking. Run both for the strongest RHEL security posture. Insights requires a RHEL subscription; Defensia works on any Linux distribution.
The agent reads RHEL-specific log paths and system data to detect attacks across every surface.
RHEL 8+ logs SSH events to journald by default (/var/log/secure does not exist). Defensia reads SSH authentication events from journalctl and monitors 15 attack patterns: failed passwords, invalid users, pre-auth disconnects, PAM failures, and kex negotiation drops.
Deep dive into SSH protection →Reads httpd and nginx access logs to detect SQL injection, XSS, path traversal, RCE, SSRF, and 10+ more OWASP attack types. Auto-detects RHEL default paths including /var/log/httpd/ and /var/log/nginx/.
See WAF detection details →Scans the filesystem with 64,000+ hash signatures and 684 dynamic patterns. Detects PHP backdoors in upload directories, obfuscated shells, cryptominers, and suspicious executables in /tmp and /dev/shm.
Matches installed rpm packages against the NVD database with EPSS probability scores and CISA KEV urgency flags. Complements Red Hat Insights CVE scanning with real-time EPSS scoring and CISA KEV prioritization.
Calculates a 0-100 security score (A-F grade) based on SSH configuration, firewall rules, file permissions, credential exposure, and system integrity. Updates with every scan cycle.
If Docker or Podman is installed on your RHEL server, Defensia detects the container runtime version, running containers, and web containers. Reads container logs for attack detection across all services.
One command. Works on RHEL 8 and RHEL 9. Auto-detects journald, firewalld, and SELinux context.
# What happens on RHEL:
1. Downloads the Go binary (~15MB) for your architecture (amd64 or arm64)
2. Installs to /usr/local/bin/defensia-agent
3. Creates a systemd service unit
4. Auto-detects journald for SSH log monitoring (RHEL 8+)
5. Auto-detects httpd/nginx access logs if present
6. Starts protecting immediately — no config files to edit
The agent is a single Go binary with zero dependencies. It does not require Python, Ruby, or any runtime. Works alongside SELinux enforcing mode, firewalld, and Red Hat Insights. Compatible with RHEL's iptables, ipset, and systemd. No RHEL subscription required — Defensia works on any Linux.
Defensia supports all actively maintained RHEL releases.
Requires: iptables + systemd + root access. Recommended: ipset. RHEL 7 is supported but EOL May 2024 (ELS until June 2028).
Also works on RHEL-based distributions: CentOS, Rocky Linux, and AlmaLinux.
Free tier covers the essentials. Pro adds deeper security intelligence.
15 patterns. Auto-reads journald on RHEL 8+.
OWASP attack detection from httpd/nginx logs.
Live event feed, charts, ban timeline, all servers in one view.
64K+ hash signatures. Web shells, cryptominers, rootkit checks.
Scans rpm packages against NVD + CISA KEV + EPSS scores.
Block entire countries at the firewall level. Per-server policy.
0-100 score (A-F grade). SSH, firewall, file perms, credentials.
70+ bot fingerprints. Allow, log, or block per policy.
Slack, email, Discord, and webhook notifications on attacks.
Yes. Defensia and Red Hat Insights operate at different layers and complement each other. Insights provides CVE scanning, compliance checks (OpenSCAP), and Ansible remediation playbooks. Defensia provides real-time attack detection and blocking: SSH brute force, WAF, malware scanning, geoblocking, and a live dashboard. There is no conflict between them.
No. Defensia works on any Linux distribution — RHEL, CentOS, Rocky Linux, AlmaLinux, Ubuntu, Debian, Fedora, and Amazon Linux. You do not need a RHEL subscription to use Defensia. The free developer subscription (16 systems) is available from developers.redhat.com if you want RHEL with official updates.
RHEL 8 (maintenance until May 2029), RHEL 9 (until May 2032), and RHEL 10 (released May 2025). The agent auto-detects journald for SSH log monitoring on all RHEL 8+ systems. RHEL 7 is also supported but has reached end of maintenance (ELS available until June 2028).
No. Defensia operates at the network layer — reading logs and blocking IPs via ipset. SELinux operates at the kernel MAC layer — confining process access to files and resources. They are completely independent security layers. Keep SELinux enforcing. Defensia does not require any SELinux policy modifications.
Red Hat Satellite is an infrastructure management tool for patching, provisioning, and compliance at scale across large RHEL fleets. Defensia is a security monitoring agent for real-time attack detection and blocking. They solve different problems. Satellite manages your systems; Defensia protects them from active threats.
Yes. The free plan includes 1 server with SSH protection, the full real-time dashboard, and bot detection. The agent is MIT licensed and open source on GitHub. Pro costs EUR 9/server/month (EUR 7 billed annually) and adds WAF, malware scanning, CVE scanning, geoblocking, alerts, and team management. No RHEL subscription or control panel required.
RHEL lifecycle dates from Red Hat Product Life Cycles (access.redhat.com/product-life-cycles). RHEL 8 maintenance until May 2029, RHEL 9 until May 2032.
RHEL market share (~43.1% enterprise Linux) based on industry reports and Red Hat's published deployment statistics.
Free developer subscription details from developers.redhat.com — 16 systems included with all updates.
Red Hat Insights capabilities based on official documentation at console.redhat.com/insights.
CIS benchmarks for RHEL from cisecurity.org. scap-security-guide package included in RHEL repositories.
Protection for all RHEL-based distributions.
Complete guide for all Linux distributions.
15 detection patterns, ipset blocking.
Full comparison: fail2ban vs Defensia.
OWASP attack detection from server logs.
Same protection, any Linux, fraction of the cost.
One command. Works on RHEL 8, 9, and 10. Complements Insights and SELinux.
No credit card required. Free for 1 server. No RHEL subscription needed.