Sign InStart Free
Netwarden
Sign InStart Free
Product · Security

The same agent reports CPU and your security posture

Netwarden Security is a host-side posture monitor for Linux servers. It emits 14 finding types. CVE matching against Ubuntu USN, Debian DSA, and Red Hat OVAL (with NVD CVSS enrichment). SSH posture audit. Public-port exposure on 22 management ports. GeoIP-aware failed-login detection on a 60-second window. TLS certificate expiry. Every finding comes from the agent already running on your hosts. No separate scanner. No extra license.

Start freeSee it self-hosted
14
Distinct finding types
ssh hardening + ports + CVEs + TLS + geo
3
CVE feeds + NVD CVSS enrichment
Ubuntu USN, Debian DSA, Red Hat OVAL
22
Management ports watched on public binds
Postgres, MySQL, Redis, Mongo, Docker daemon, RDP, more
60s
Failed-login resolution window
with GeoIP enrichment per source IP
What it does

Five capabilities, one agent

Every finding is grounded in real source data the agent already collects. No agentless probing, no cloud-side guesswork. The same install that monitors CPU and disk now watches your security posture.

CVE alerts on the packages you actually run

The agent inventories installed packages on every host. The platform pulls Ubuntu USN, Debian DSA, and Red Hat OVAL feeds, enriches each advisory with NVD CVSS for sharp severity routing, and joins the two. When a fixed version ships and you haven't applied it, a finding fires with the CVE, the affected package, and the version you need.

  • Coverage: Ubuntu, Debian, RHEL, Rocky, AlmaLinux, CentOS, Amazon Linux. Fedora installs match against Red Hat advisories where applicable.
  • Severity is routed via NVD CVSS (not just the upstream vendor severity), so the same CVE doesn't get different importance depending on whose feed you read.
  • Auto-resolves on the next package snapshot once the upgrade lands. You don't manually clear a CVE you've already patched.
We do not yet ship advisory feeds for SUSE, Arch, Alpine, or Gentoo. CVEs on those distros are tracked but not currently flagged.
critical

openssl 3.0.2-0ubuntu1.10 is affected by CVE-2023-0286

fixed in 3.0.2-0ubuntu1.12USN-5892-1
finding_type: cve_match

SSH posture audit on every connection

The agent reads sshd_config and the live algorithm advertisement. Eight finding types catch the settings that turn an SSH server into a brute-force target, plus the legacy crypto that lets old clients downgrade you.

  • PermitRootLogin yes: high. PermitEmptyPasswords yes: critical.
  • PasswordAuthentication yes: medium. Protocol 1: critical.
  • Weak KexAlgorithms (SHA-1 family), Ciphers (CBC, RC4, CAST), MACs (MD5, 64-bit truncated). Flagged per category.
  • X11Forwarding yes: low, but worth knowing on production servers.
high

SSH allows direct root login

PermitRootLogin=yes/etc/ssh/sshd_config
finding_type: ssh_*

Public-bind audit on management ports

The agent enumerates every listening socket. The platform flags management or database ports bound to a public address (0.0.0.0 or ::). Postgres, MySQL, MongoDB, Redis, Elasticsearch, the Docker daemon, RDP, MSSQL, Memcached. There is also a coarser anomaly: more public binds than loopback binds is unusual on a server.

  • Per-port findings, not aggregated. Fix the Redis exposure without losing the open Mongo finding behind it.
  • Service restarts don't duplicate the finding: PID and process name are stored but not part of the dedupe fingerprint.
  • many_public_bindings fires when public binds exceed loopback by more than five. A coarse hint at an over-exposed host.
high

Management port 5432/tcp is exposed publicly

postgres bound to 0.0.0.0:5432
finding_type: public_management_port

GeoIP-aware failed-login monitoring

The agent samples failed SSH logins from auth.log, journal, and equivalents on a 60-second window. Every source IP gets enriched against MaxMind GeoLite2. Two findings ride on top: a country-watchlist alert and a country-anomaly alert tied to the host's own 30-day baseline.

  • High-risk countries (RU, CN, KP, IR, BY) trigger a high-severity finding once a country crosses 20 failed attempts in the window.
  • Country anomaly fires when a host sees sustained failed-login traffic from a country it has never logged before in the prior 30 days.
  • The dashboard surfaces sample IPs, country flags, and a 30-day prior distribution so operators can triage without leaving the page.
GeoIP requires a customer-provided MaxMind GeoLite2 license file (free to obtain at maxmind.com) mounted into the platform pod. Without it, every finding above still fires. Only the country attribution is omitted.
high

Failed SSH logins from Russia (47 in last minute)

window=60ssource=auth.log
finding_type: failed_login_*
🇷🇺Russia185.220.101.447
🇨🇳China117.50.39.18212

TLS certificate expiration

Agentless. The platform reuses your existing HTTPS uptime checks: when it dials the host, it captures the peer certificate. A finding fires when the certificate is within 14 days of expiry and is escalated to critical at 3 days.

  • No extra collector to install. Runs on the same dial used for HTTPS uptime.
  • Issuer, subject, and notAfter are stored on the finding so you don't need to re-run openssl s_client to triage.
  • Auto-resolves the next time the dial sees a renewed certificate. Renewals are detected without operator intervention.
critical

TLS certificate for app.example.com expires in 2 day(s)

issuer=Let's Encryptserved on :443
finding_type: ssl_cert_expiring_soon
How alerts reach you

Severity-routed, three channels, one digest

Findings are tiered critical / high / medium / low and dispatched across email, mobile push, and outbound webhook. You decide which severities open which channel. You can also opt into a single weekly digest as a low-noise alternative.

Severity-routed dispatch

Every finding lands in one of four buckets: critical, high, medium, low. Per-tenant preferences decide which severities go to email, which to push, and which to your webhook. No noisy lows in your inbox unless you ask for them.

Auto-resolution

When you fix the misconfig, the next snapshot closes the finding on its own. Auto-resolved findings are tagged distinctly from user-resolved ones, so you can tell who did the work: you, or the platform recognizing your fix.

Time-to-resolution metric

Every finding tracks first_seen, resolved_at, and who closed it. The dashboard rolls those up into a time-to-resolution chart, so you can prove your security posture is improving instead of just feeling like it might be.

SeverityEmailPushWebhookExample finding
Criticaldefault ondefault ondefault onEmpty SSH passwords, SSHv1 enabled, 2-day cert
Highdefault ondefault ondefault onPublic Postgres, root SSH, weak ciphers, RU brute force
Mediumdefault onoff by defaultoff by defaultPassword SSH auth, country anomaly, weak MACs
Lowoff by defaultoff by defaultoff by defaultX11 forwarding, hmac-sha1. Weekly digest only.
Fix it without leaving the page

Remediation built into every finding

Each finding ships with a copy-pasteable fix and a short ordered checklist. No jumping into someone else's blog post to figure out the right sshd_config edit.

ssh_root_login_enabled

Disable direct root SSH

# /etc/ssh/sshd_config — set PermitRootLogin no
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' \
  /etc/ssh/sshd_config
sudo sshd -t && sudo systemctl reload sshd
cve_match

Patch a flagged package

# Debian / Ubuntu
sudo apt update
sudo apt install --only-upgrade openssl
# RHEL / Rocky / Alma / Fedora
sudo dnf update openssl
ssl_cert_expiring_soon

Renew an expiring certificate

# Let's Encrypt — certbot renewal
sudo certbot renew --dry-run
sudo certbot renew
sudo systemctl reload nginx
Honest limits

What this is not

We'd rather tell you up front. The security wedge is built around the agent we already ship. That buys real value. It also defines real boundaries.

Not a full vulnerability scanner

We don't do active port-and-protocol fingerprinting like Nessus, Tenable, or Qualys. Findings are derived from the agent's snapshots, not from probing the network.

Not an EDR

No kernel-level threat detection, no behavioural process anomaly, no signed-binary attestation. If you need runtime malware detection on each host, pair us with an EDR.

Not a SIEM

We do not aggregate every log line in your fleet. Failed-login monitoring uses sampled top-IP windows, not full ingestion. Bring a SIEM if you need long-term log search.

Not a compliance auditor

We do not certify you against PCI, HIPAA, or SOC 2 controls. Our findings (disabled root SSH, patched CVEs, public-port exposure) are useful inputs to those audits, but the framework itself isn't our product.

GeoIP needs your own MaxMind license

MaxMind's terms require each operator to hold their own GeoLite2 license. It's free at maxmind.com; you mount the .mmdb into the platform pod. Without it, every other security finding still fires.

Linux first today

SSH posture, listening-port audit, and CVE matching require the Linux agent. Windows and macOS hosts are inventoried but don't yet emit security findings beyond TLS expiration on monitored hostnames.

Self-hosted parity

The whole security wedge ships in the self-hosted binary

CVE feeds, SSH posture audits, port-exposure findings, GeoIP failed-login monitoring, TLS expiration. Every capability on this page is in the same Bun-compiled binary you'd run yourself. Same evaluator, same remediation snippets, same dashboard. No feature gate.

Read about self-hosting

Install the agent. Start finding things.

One install gets you uptime, metrics, and the security posture checks on this page. Free tier covers three hosts; paid plans add longer retention and unlimited webhooks.

Start freeSee pricing