Open source · AGPL-3.0 Self-hosted Always free to self-host

// for linux servers

Block attacking IPs on Linux — before they get comfortable

EzyShield watches your logs, detects attackers and scrapers, and bans them with escalating strikes — locally via nftables and at the edge via Cloudflare. A fast rule engine runs fully offline; AI only steps in to judge the ambiguous traffic.

curl -sfL https://get.ezyshield.com | sudo sh

Try it in dry-run → Star on GitHub

Dry-run by default — watch what it would block before you arm it. One command, no account, your server, your keys.

Repeat offenders escalate on their own

One config. Each new strike means a longer ban — you don't touch a thing.

example

Strike 15 minutes

Strike 21 hour

Strike 324 hours

Strike 47 days

Strike 5permanent

Local via nftables and at the edge via Cloudflare. Allowlisted IPs always win — anti-lockout is on by default.

// 01

From log line to ban in milliseconds

A deterministic pipeline. AI is an optional step, never a dependency.

Watch

Tails your access and auth logs — nginx, sshd, and more — in real time.

Decide

The rule engine instantly matches known attacks. Anything ambiguous goes to an LLM — Anthropic (Claude), an OpenAI-compatible endpoint, or a local Ollama model.

Enforce

Once armed, bans land in nftables and propagate to the edge via Cloudflare. Until then, dry-run shows exactly what would be blocked. More edge backends (Bunny CDN, AWS WAF) are on the roadmap.

// 02

Built for people who run their own servers

Eight capabilities working together. Each one optional, every one configurable.

Rule Engine

Deterministic pattern matching runs in microseconds — fully offline, no network or API key required.

AI Verdict

Ambiguous traffic is routed to the provider you choose — Anthropic (Claude), any OpenAI-compatible endpoint, or a local Ollama model. AI steps in only when the rules say so.

Escalating Strikes

A configurable strike ladder — short hold, full-day ban, permanent lockout. First offenders get a warning, not a lifetime block.

Edge Blocking

Bans propagate to Cloudflare IP Lists so attackers are stopped before they reach your server. Bunny CDN and AWS WAF are planned.

GeoIP Enrichment

Every event gets tagged with country, ASN, and reputation data — making logs and alerts immediately actionable.

Multi-source Logs

Watches SSH auth and Nginx access logs from a single daemon — via journald or log files. Apache, Caddy, Traefik, and container logs are on the roadmap.

Notifications

Strike events are pushed to Telegram, Slack, or Discord in real time — no need to watch a screen.

Privilege Separation

The watcher runs unprivileged; only the enforcer needs elevated rights. Compromising one component doesn't compromise all.

// 03

Plugs into what you already run

Mix and match. Every integration is optional and swappable.

Edge

Cloudflare
Bunny CDN soon
AWS WAF soon

Local

nftables

Notifications

Telegram
Slack
Discord
Email
Webhooks

AI Providers

OpenAI
Anthropic
Ollama local

Log Sources

SSH / auth.log
Nginx
Docker soon
journald

// 04

Running in three steps

One binary, one config file. Drop it on the box and go.

Install

Download and install EzyShield with a single command. No dependencies to chase down.

curl -sfL https://get.ezyshield.com | sudo sh

Configure

Create the config file. Point it at your logs, set your strike ladder, and optionally pick an LLM provider.

sudo ezyshield init

Watch

Starts the pipeline in dry-run — it shows what it would block until you set armed: true. Enable the systemd service to keep EzyShield running across reboots.

sudo ezyshield watch

// 05

Frequently asked questions

Common questions from sysadmins who've been there.

Does EzyShield need root?

The enforcer that writes to nftables needs elevated privileges to add and remove firewall rules. The watcher — the part that reads logs and calls the LLM — runs fully unprivileged. Privilege separation means a compromised watcher cannot touch your firewall.

Can it run without AI?

Yes. The rule engine is deterministic and fully offline — it blocks known attack patterns without any network access or API key. AI is an optional step that only activates for traffic the rules can't classify, and only when you've configured an LLM provider.

What logs does it watch?

SSH auth logs (/var/log/auth.log), nginx access logs, Docker container logs, and the systemd journal (journald). You choose which sources to tail in ezyshield.yml. More log sources are on the roadmap.

Does it work with Cloudflare?

Yes. EzyShield can push bans to Cloudflare IP Lists via the Cloudflare API, blocking attackers at the edge before traffic ever reaches your server. Bunny CDN and AWS WAF are on the roadmap as additional edge targets — Cloudflare is the one shipping today.

Is it free?

Yes. EzyShield is open source under AGPL-3.0 and free to self-host — your server, your keys, no account required. It's currently pre-alpha, so run it in dry-run (the default) and report anything that looks off.

Can I whitelist IPs?

Yes. EzyShield has a built-in allowlist that always wins over strike and ban decisions. Add your own IP, your office range, or any trusted CIDR in ezyshield.yml. Anti-lockout protection is built in — you cannot accidentally ban yourself.