Every server connected to the internet receives a constant stream of automated probes, brute-force attempts, and vulnerability scans. Most never succeed — but they consume resources that would otherwise serve your legitimate visitors.
Here's the three-layer approach we use to deal with it.
Layer 1: Guardian-X (XDP Fast-Path)
The outermost layer operates below the network stack, using Linux XDP (eXpress Data Path) to drop packets in the kernel before they're even passed up to nftables or nginx.
Guardian-X maintains a set of known-hostile IPs and blocks their traffic at the earliest possible point — before any application code runs, before any connection state is allocated. Dropping a packet at the XDP layer takes microseconds and consumes essentially nothing.
This is where the highest-volume abusers end up: IPs that have been permanently jailed after repeated offences across the fleet.
Layer 2: nginx Rate Limiting and Path Blocking
Traffic that passes the XDP layer reaches nginx. We apply rate limits and hard blocks on URLs that attract automated abuse:
wp-login.php,xmlrpc.php: maximum requests per IP per minute/.env,/.git,/phpmyadmin,/wp-admin/install.phpand similar hostile probe paths: blocked at nginx with no PHP execution
A legitimate human logging into WordPress does it once every few minutes. A credential-stuffing bot does it hundreds of times per second. The rate limit stops the bot while leaving the human unaffected. The rejection happens entirely in nginx — no PHP runs, no database queries execute.
Layer 3: flame-guardian (IDS + Escalating Bans)
flame-guardian watches two log sources in real time: the SSH auth log and the nginx access log. When it detects an abuse pattern, it bans the offending IP using nftables and records the event.
SSH brute force: 5 failed authentication attempts within 60 seconds triggers a ban.
Hostile web paths: any request to a known-hostile path (wp-login flood, .env probe, phpMyAdmin scan, shell.php etc.) triggers an immediate ban and escalates the IP's record.
Bans follow an escalation ladder: first offence is 5 minutes, repeat offenders work through 10 tiers up to 365 days. An IP that keeps offending after tier 10 enters Guardian Jail — a permanent ban with no expiry, applied at the nftables level.
Fleet-wide sync: when guardian bans an IP on any node, it propagates the ban to all other nodes in the fleet within seconds. An IP banned on ns1 is also banned on ns2 and ns3. Attackers can't evade a block by switching which of our nameservers they probe.
What This Means for Your Site
The practical effect: your PHP workers serve pages for your visitors rather than handling automated attacks. The XDP layer eliminates the highest-volume traffic before it touches anything. Guardian handles the long tail of probes and escalates persistent offenders out of the picture automatically.
Customers who find themselves caught by a false positive — a shared carrier IP, a developer testing from an unusual location — can contact support and we'll investigate and clear it immediately.