{"@attributes":{"version":"2.0"},"channel":{"title":"Inner Warden Blog","link":"https:\/\/www.innerwarden.com\/blog","description":"Technical articles on Linux server security, SSH brute-force detection, honeypots, threat intelligence sharing, and automated defense.","language":"en-us","lastBuildDate":"Sat, 28 Mar 2026 05:08:16 GMT","item":[{"title":"How Inner Warden Catches Obfuscated Reverse Shells (Tree-Sitter AST, Not Regex)","link":"https:\/\/www.innerwarden.com\/blog\/detect-obfuscated-reverse-shells","guid":"https:\/\/www.innerwarden.com\/blog\/detect-obfuscated-reverse-shells","pubDate":"Sat, 21 Mar 2026 00:00:00 GMT","description":"Why regex fails for obfuscated commands like hex-encoded payloads, base64 pipelines, and Python reverse shells. How tree-sitter AST analysis detects them structurally.","category":"Threat Detection"},{"title":"We Built a Honeypot That Attackers Can\u2019t Detect","link":"https:\/\/www.innerwarden.com\/blog\/honeypot-attackers-cant-detect","guid":"https:\/\/www.innerwarden.com\/blog\/honeypot-attackers-cant-detect","pubDate":"Sat, 21 Mar 2026 00:00:00 GMT","description":"Fake \/proc\/cpuinfo, \/proc\/self\/cgroup, 25+ shell commands, and LLM fallback. How our honeypot passes the checks advanced attackers use to detect traps.","category":"Honeypots"},{"title":"Monitor Your Server Security with Grafana and Prometheus","link":"https:\/\/www.innerwarden.com\/blog\/grafana-server-security-monitoring","guid":"https:\/\/www.innerwarden.com\/blog\/grafana-server-security-monitoring","pubDate":"Sat, 21 Mar 2026 00:00:00 GMT","description":"Tutorial: scrape Inner Warden\u2019s \/metrics endpoint with Prometheus and build a Grafana dashboard with events, incidents, AI latency, and execution panels.","category":"Monitoring"},{"title":"Brute-Force Followed by Successful Login: The Attack Everyone Misses","link":"https:\/\/www.innerwarden.com\/blog\/detect-brute-force-success-login","guid":"https:\/\/www.innerwarden.com\/blog\/detect-brute-force-success-login","pubDate":"Sat, 21 Mar 2026 00:00:00 GMT","description":"Most tools alert on failed SSH logins. Almost none alert when a brute-forced IP then logs in successfully. That\u2019s a compromise, not just an alert.","category":"Threat Detection"},{"title":"Why We Switched to jemalloc (and How glibc malloc Was Eating 1GB RAM)","link":"https:\/\/www.innerwarden.com\/blog\/jemalloc-rust-memory-management","guid":"https:\/\/www.innerwarden.com\/blog\/jemalloc-rust-memory-management","pubDate":"Sat, 21 Mar 2026 00:00:00 GMT","description":"The story of how glibc malloc fragmentation caused our Rust daemon to grow to 1.3GB under bot traffic, and how jemalloc fixed it with 3 lines of code.","category":"Engineering"},{"title":"11 Types of Sudo Abuse Inner Warden Detects (MITRE ATT&CK Mapped)","link":"https:\/\/www.innerwarden.com\/blog\/sudo-abuse-mitre-attack-detection","guid":"https:\/\/www.innerwarden.com\/blog\/sudo-abuse-mitre-attack-detection","pubDate":"Sat, 21 Mar 2026 00:00:00 GMT","description":"Complete reference: SUID manipulation, SSH key injection, cron persistence, log tampering, and 7 more privilege abuse categories with MITRE ATT&CK IDs.","category":"Threat Detection"},{"title":"How to Tell Real Googlebot from Fake: Reverse DNS Verification","link":"https:\/\/www.innerwarden.com\/blog\/fake-bot-detection","guid":"https:\/\/www.innerwarden.com\/blog\/fake-bot-detection","pubDate":"Thu, 19 Mar 2026 00:00:00 GMT","description":"Attackers disguise as Googlebot to bypass security. Learn how reverse DNS verification catches fakes and why user-agent alone is not enough.","category":"Bot Security"},{"title":"OpenClaw + Inner Warden: Your AI Agent Gets a Security Armor","link":"https:\/\/www.innerwarden.com\/blog\/openclaw-integration","guid":"https:\/\/www.innerwarden.com\/blog\/openclaw-integration","pubDate":"Thu, 19 Mar 2026 00:00:00 GMT","description":"How Inner Warden protects OpenClaw agents from executing dangerous commands, and how OpenClaw keeps Inner Warden healthy in return.","category":"Integration"},{"title":"How to Set Up Suricata IDS with Automated Response","link":"https:\/\/www.innerwarden.com\/blog\/suricata-automated-response","guid":"https:\/\/www.innerwarden.com\/blog\/suricata-automated-response","pubDate":"Wed, 18 Mar 2026 00:00:00 GMT","description":"Connect Suricata IDS alerts to automatic firewall blocking. Inner Warden promotes IDS alerts to incidents, AI decides, firewall blocks. The complete alert-to-block pipeline.","category":"Network IDS"},{"title":"How to Protect Docker Containers from Runtime Attacks","link":"https:\/\/www.innerwarden.com\/blog\/docker-container-security","guid":"https:\/\/www.innerwarden.com\/blog\/docker-container-security","pubDate":"Wed, 18 Mar 2026 00:00:00 GMT","description":"Monitor Docker containers for OOM kills, rapid restarts, and escape attempts. Automatically pause compromised containers with a TTL-based recovery.","category":"Container Security"},{"title":"How to Protect AI Agents Running on Your Server","link":"https:\/\/www.innerwarden.com\/blog\/protect-ai-agents-server","guid":"https:\/\/www.innerwarden.com\/blog\/protect-ai-agents-server","pubDate":"Wed, 18 Mar 2026 00:00:00 GMT","description":"AI agents run commands on your server. Inner Warden's check-command API validates commands before execution, scoring risk and blocking dangerous operations.","category":"AI Agent Security"},{"title":"What Is Credential Stuffing and How to Stop It","link":"https:\/\/www.innerwarden.com\/blog\/credential-stuffing-protection","guid":"https:\/\/www.innerwarden.com\/blog\/credential-stuffing-protection","pubDate":"Tue, 17 Mar 2026 00:00:00 GMT","description":"Understand the difference between credential stuffing and brute-force attacks. Learn how to detect many-username attacks from a single IP and block them automatically.","category":"SSH Security"},{"title":"How to Set Up Telegram Alerts for Server Security","link":"https:\/\/www.innerwarden.com\/blog\/telegram-server-security-alerts","guid":"https:\/\/www.innerwarden.com\/blog\/telegram-server-security-alerts","pubDate":"Tue, 17 Mar 2026 00:00:00 GMT","description":"Set up real-time Telegram notifications for server security events. Bot commands, inline approve\/deny buttons, and AI-powered conversations about your server's status.","category":"Notifications"},{"title":"What Happens When Your Server Gets Attacked: A Real 24-Hour Log","link":"https:\/\/www.innerwarden.com\/blog\/server-attack-24-hours","guid":"https:\/\/www.innerwarden.com\/blog\/server-attack-24-hours","pubDate":"Tue, 17 Mar 2026 00:00:00 GMT","description":"A real 24-hour narrative of attacks against a public VPS: SSH brute-force, web scanners, credential stuffing, and honeypot captures. All blocked automatically.","category":"Real-World Security"},{"title":"How to Use AI for Server Security Without Giving It Root Access","link":"https:\/\/www.innerwarden.com\/blog\/ai-security-without-root","guid":"https:\/\/www.innerwarden.com\/blog\/ai-security-without-root","pubDate":"Tue, 17 Mar 2026 00:00:00 GMT","description":"Inner Warden's AI isolation model: the model reads data and returns JSON recommendations, Rust validates and executes. The model never sees a shell. Even a compromised model cannot harm your server.","category":"AI Safety"},{"title":"Open Source Server Security Tools in 2026: A Practical Guide","link":"https:\/\/www.innerwarden.com\/blog\/open-source-server-security-2026","guid":"https:\/\/www.innerwarden.com\/blog\/open-source-server-security-2026","pubDate":"Mon, 16 Mar 2026 00:00:00 GMT","description":"A practical overview of the best open source security tools for Linux servers in 2026: Falco, Suricata, osquery, fail2ban, and Inner Warden. How they work together in a unified stack.","category":"Security Stack"},{"title":"How to Detect and Block Port Scanning on Your Server","link":"https:\/\/www.innerwarden.com\/blog\/detect-port-scanning","guid":"https:\/\/www.innerwarden.com\/blog\/detect-port-scanning","pubDate":"Mon, 16 Mar 2026 00:00:00 GMT","description":"Learn what port scanning is, why attackers do it, how to detect it with sliding-window analysis, and how to automatically block scanners at the firewall.","category":"Network Security"},{"title":"How to Detect Web Scanners (Nikto, sqlmap, Nuclei) on Your Server","link":"https:\/\/www.innerwarden.com\/blog\/detect-web-scanners","guid":"https:\/\/www.innerwarden.com\/blog\/detect-web-scanners","pubDate":"Mon, 16 Mar 2026 00:00:00 GMT","description":"Detect automated web vulnerability scanners like Nikto, sqlmap, and Nuclei using user-agent signatures and HTTP error flood analysis. Auto-block and rate-limit via nginx.","category":"Web Security"},{"title":"How to Monitor and Respond to sudo Abuse on Linux","link":"https:\/\/www.innerwarden.com\/blog\/monitor-sudo-abuse","guid":"https:\/\/www.innerwarden.com\/blog\/monitor-sudo-abuse","pubDate":"Mon, 16 Mar 2026 00:00:00 GMT","description":"Detect sudo abuse patterns like burst privileged commands and lateral movement. Automatically suspend sudo access with a TTL and get Telegram alerts.","category":"Privilege Escalation"},{"title":"How to Detect SSH Brute-Force Attacks on Your Linux Server","link":"https:\/\/www.innerwarden.com\/blog\/detect-ssh-brute-force","guid":"https:\/\/www.innerwarden.com\/blog\/detect-ssh-brute-force","pubDate":"Sun, 15 Mar 2026 00:00:00 GMT","description":"Learn how to detect SSH brute-force attacks in real time, why fail2ban alone is not enough, and how to set up automated blocking with AI-powered confidence scoring.","category":"SSH Security"},{"title":"How to Set Up an SSH Honeypot That Captures Attacker Behavior","link":"https:\/\/www.innerwarden.com\/blog\/ssh-honeypot-setup","guid":"https:\/\/www.innerwarden.com\/blog\/ssh-honeypot-setup","pubDate":"Sun, 15 Mar 2026 00:00:00 GMT","description":"Set up an LLM-powered SSH honeypot that responds to attackers naturally, captures credentials and commands, and auto-blocks after the session ends.","category":"Honeypots"},{"title":"How to Share Threat Intelligence: AbuseIPDB + Cloudflare Automatic Blocking","link":"https:\/\/www.innerwarden.com\/blog\/threat-intelligence-sharing","guid":"https:\/\/www.innerwarden.com\/blog\/threat-intelligence-sharing","pubDate":"Sun, 15 Mar 2026 00:00:00 GMT","description":"Automatically report blocked IPs to AbuseIPDB and push firewall rules to Cloudflare WAF. Detect, block, report, and protect other servers from the same attacker.","category":"Threat Intelligence"},{"title":"Fail2ban vs Inner Warden: What\u2019s the Difference?","link":"https:\/\/www.innerwarden.com\/blog\/fail2ban-vs-innerwarden","guid":"https:\/\/www.innerwarden.com\/blog\/fail2ban-vs-innerwarden","pubDate":"Sun, 15 Mar 2026 00:00:00 GMT","description":"A fair comparison of fail2ban and Inner Warden. Both block IPs from SSH brute-force, but Inner Warden adds stateful detection, AI triage, dashboards, Telegram alerts, honeypots, and threat intelligence sharing.","category":"Comparison"}]}}