Network-level IDS/IPS built into the core of ServersCamp. See what reaches your workloads, block bad traffic automatically, and turn on inline protection when you need it.
Pick a level from L0 to L3. Each one includes everything below it. Nothing runs on the machine itself.
Warden runs on ServersCamp infrastructure. It can inspect traffic before it reaches your machine, and after it leaves.
Inbound traffic reaches Warden first. Bad sources and visible attacks are blocked before they ever hit the workload.
At L3, Warden also watches what leaves the workload: outbound to the internet, and east-west to other machines in the same private subnet.
A compromised workload cannot move or call out without crossing inspection.
Give a machine a public IP and the traffic starts within minutes. Scanners, exploit kits, brute-force runs, old CVEs, new CVEs, and bots looking for anything that answers.
AI made the loop faster. More code gets shipped quickly, more apps go online half-hardened, and attackers automate the boring work: find, try, repeat.
| Source | Country | Signature | CVE | Last seen | Action |
|---|---|---|---|---|---|
| 195.20.239.136 | DE | ET WEB_SPECIFIC_APPS PHP-CGI OS Command Injection (soft hyphen) | CVE-2024-4577 | 2h ago | blocked |
| 195.20.239.136 | DE | ET WEB_SERVER ThinkPHP RCE Exploitation Attempt | n/a | 2h ago | blocked |
| 195.20.239.136 | DE | ET EXPLOIT Apache HTTP Server 2.4.49 Path Traversal Attempt | CVE-2021-41773 | 2h ago | blocked |
| 77.83.246.97 | PL | ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution | n/a | 3h ago | blocked |
| 152.32.225.99 | HK | ET INFO External Oracle T3 Requests Inbound | n/a | 5h ago | blocked |
| 151.243.150.23 | DE | GPL WEB_SERVER .htpasswd access | n/a | 10h ago | blocked |
| 192.142.28.77 | GB | ET HUNTING Suspicious Chmod Usage in URI (Inbound) | n/a | 12h ago | blocked |
| 117.175.140.79 | CN | ET WEB_SERVER ThinkPHP RCE Exploitation Attempt | n/a | 16h ago | blocked |
| 59.103.100.100 | PK | ET EXPLOIT D-Link Devices HNAP Command Execution | n/a | 20h ago | blocked |
| 34.162.191.237 | US | ET WEB_SPECIFIC_APPS WordPress Gravity SMTP Unauth REST API | CVE-2026-4020 | 1d ago | blocked |
| 45.135.195.139 | DE | ET WEB_SERVER Generic PHP Remote File Include | n/a | 1d ago | blocked |
| 198.50.202.93 | CA | ET WEB_SERVER ThinkPHP RCE Exploitation Attempt | n/a | 1d ago | blocked |
Every row is a real exploit or abuse attempt detected by Warden. Some of these sources were not on any reputation list yet: signatures caught what lists missed.
We put a fresh machine online for a day with nothing running on it, told no one it existed, and logged everything that reached it.
Hit from everywhere, within the first hour.
That is the baseline for anything on a public IP. The traffic is already arriving. The real question is whether you can see it, and whether anything stops it. More in The background noise of the internet →
Your service needs a way in. HTTPS stays open, SSH may stay reachable, your API, admin panel, database or game server needs a public path.
Attackers do not need a secret door. They use the same one your users do.
Warden sits on that path and watches who is coming in, what they are doing, and whether they belong there.
Start with visibility. Move up when you want Warden to do more. Each level includes the one below it.
A live map of connections: source, country, port, state and volume. Nothing is blocked. This is your public surface as the internet sees it.
Known-bad sources from abuse feeds, spam lists and your own deny lists are dropped before they reach the workload. Your VM does not waste CPU or fill logs with traffic Warden already knows is bad.
Traffic is mirrored locally and inspected out of path for scans, probes, exploit attempts and visible attack patterns. When Warden sees abuse, it feeds L1 and blocks the source at the edge. Recommended default. Fails open.
A dedicated inspection engine sits inline for each protected backend. Attacks visible to policy are dropped before they reach the machine. Outbound and east-west inspection are available here.
L0 shows it. L1 drops known bad. L2 catches fresh abuse. L3 blocks inline.
L3 moves the workload behind Warden, same IP and no change to the application. It is not a rule running inside the guest; it is a position in the network.
Exploits, scans, brute-force attempts and suspicious packets are dropped before they reach the VM.
Traffic between your own machines can be inspected inside the same flat subnet. If one workload is compromised, its next move crosses inspection.
A breached machine cannot quietly call home or push data out: its egress is inspected on the way out too.
Same security layer. Same levels. Different entry points.
Protect a group of machines behind an L4 load balancer. Many backends, one shared policy and one dashboard.
Protect one machine directly, no balancer required. Bastions, admin panels, databases, that legacy box sitting on a public IP.
An L7 WAF for web apps and HTTP requests. Injections, traversal, malicious requests and application-layer rules.
Before Warden blocks anything, it shows you what is already reaching your workload. A plain, read-only view of the traffic most VPS users never get to see.
L0 blocks nothing. It just shows you the traffic. Most people switch on L1 about a minute later.
Start at L0 for free. Pay only when you want Warden to block, detect or sit inline.
Live map, top sources, connection audit and reputation hints. Read-only visibility.
Free
always on
Known-bad sources blocked at the edge. Good for basic blocklist-based protection.
€3
per protected object
Mirror-mode IDS. Detects scans, probes and visible attack patterns. Recommended default.
€15
per TB of traffic
Dedicated inline IPS per protected backend. Inbound, outbound and east-west inspection.
€40 /mo per endpoint
plus €30 per TB of traffic
Telemetry off the flow table at L0, ACLs at the port for L1, a mirror at L2, a routed hop at L3.
L0 is read-only. Every north-south flow to the resource is already in the fabric's connection-tracking table: one stateful entry per 5-tuple, carrying the original and reply tuples, the protocol state machine (SYN_SENT, ESTABLISHED, TIME_WAIT and the rest), per-flow packet and byte counters, and the conntrack zone it lives in. L0 dumps that table on the gateway chassis, attributes each entry to the resource by its public address, and renders it: live connections by state, top sources, ports and geo. It stores no new state, so visibility costs nothing on the path or in the guest. It just reads the tracker the data path already maintains. Because each entry already holds both tuples, the read-out tells ingress from egress and live sessions from half-open scans.
L1 is an ACL at the resource's port, evaluated before the packet is DNAT'd toward the backend. Source is matched against address-sets: bulk reputation feeds (spam, abuse, scanner, C2) plus the per-resource deny set that auto-bans write into. A hit drops at the edge, so the workload never sees the SYN. Matching is set membership, not a rule walk, so a deny set with millions of prefixes is still one ACL, still O(1) per packet. It rides the same stateful flow tracking as L0: only new flows run the full ACL, established connections match the flow table and forward, so reputation is paid once at setup, not per packet. Auto-bans close the loop: an L2 or L3 verdict writes the source into this set, and its next flow dies at the port.
L2 is a SPAN-style port mirror: a copy of the workload's ingress and egress frames is fanned out to an inspection engine off the forwarding path. Zero added latency, zero MTU impact, inherently fail-open. Detection only, so verdicts feed the L1 reputation set rather than gating the packet.
L3 puts the engine in the forwarding path as a routed hop in front of the backend. Both directions traverse the same hop, so the path stays symmetric with no asymmetric-routing corner cases. Each packet is verdicted before it is forwarded, so drops land on the wire, not after the fact. The engine is per-backend, so one tenant's inspection load never touches another's.
The engine becomes the first hop without renumbering anything. It proxy-ARPs the protected address into the segment and answers for it, so the VM keeps its IP, its default gateway and its place in the same broadcast domain. Insertion is pure L2 adjacency: addressing, encapsulation and the guest routing table stay exactly as they were.
Inline is not a new single point of failure. Engine health is tracked out of band, and on degradation or loss the flow reverts to the L2 mirror path instead of fail-closing the backend. You lose inline enforcement, not reachability. Security degrades before connectivity does.
Simplified view. On the fabric it is programmable flow rules on the client's virtual switch, which is our network: a mirror group for L2, a routed proxy-ARP insertion with a stateful flow table for L3. Steering and verdicts happen below the guest, so the workload's NIC sees an unchanged adjacency.
A real IDS/IPS in front of your machine, built into the network, turned on with a single switch.
