- 01Install
One command. 10 seconds.
Downloads SHA-256 verified binaries, creates a dedicated service user, starts sensor + agent. 22 eBPF kernel hooks activate immediately. Everything begins in observe-only mode.
curl -fsSL https://innerwarden.com/install | sudo bashWant to inspect first? Run curl -fsSL https://innerwarden.com/install | less
- 02Setup
The wizard does the hard work
One interactive command configures everything: AI provider, Telegram alerts, protection modules, notification sensitivity, and mesh network. Skip anything and configure later. The wizard adds your IP to the allowlist, enables SSH protection, sets up IP blocking, and configures notifications in one go.
innerwarden setupThe wizard detects your server's services automatically and recommends which modules to enable. You can re-run it anytime.
- 03Assess
Know your security score
The harden command checks SSH config, firewall, kernel parameters, file permissions, pending updates, Docker, and services. Gives you a score out of 100 with copy-paste commands to fix each finding.
innerwarden hardenRead-only. Checks but never changes anything on your system.
- 04Harden
Fix what the audit found
Start with the high-severity findings: disable SSH password auth, block root login, enable the firewall, apply security updates. The harden output gives you the exact commands.
Before disabling password auth, make sure you have SSH key access configured. Locking yourself out of a remote server is not fun.
sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config && sudo systemctl restart sshdsudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && sudo systemctl restart sshdsudo ufw allow OpenSSH && sudo ufw --force enablesudo apt update && sudo apt upgrade -y - 05Observe
Watch before you act
Everything starts in dry-run. Watch the live stream for a few days. Check for false positives. Add trusted IPs and service accounts to the allowlist. This is the most important step.
innerwarden tailinnerwarden incidentsinnerwarden allowlist add --ip 10.0.0.0/8innerwarden allowlist add --user deployRun in dry-run for at least 48 hours on production. CI/CD, monitoring probes, and cron jobs can trigger false positives until you allowlist them.
- 06Engage
Go live
When you trust the decisions, disable dry-run. The system starts blocking attackers at wire speed via XDP, suspending sudo for abusers, and deploying honeypots. Every action is logged, bounded by a TTL, and reversible.
From this moment, the system blocks IPs, kills processes, and suspends sudo automatically. Make sure your allowlist is complete.
innerwarden configure responder --enable --dry-run falseinnerwarden test - 07Fortify
Add depth
Core defense is active. Now add layers: threat intelligence sharing with AbuseIPDB, edge blocking with Cloudflare, shell command audit trail. Each layer makes evasion harder.
innerwarden configure abuseipdb --key YOUR_KEYinnerwarden configure cloudflare --token YOUR_TOKEN --zone YOUR_ZONEinnerwarden enable shell-auditinnerwarden scaninnerwarden scan detects running services (Docker, nginx, fail2ban) and recommends modules to enable.
- 08Maintain
Stay sharp
Security is not a one-time setup. Check for updates, review the audit trail, re-run the security score. The system handles daily defense automatically, but you should verify and adapt.
innerwarden upgradeinnerwarden hardeninnerwarden reportinnerwarden mesh enableRun innerwarden harden after every system update. New packages can introduce new attack surface.
Your server is a fortress.
22 eBPF kernel hooks watching every syscall. Dozens of detectors running in parallel. Kill chain detection blocking attacks before they complete. Hash-chained audit trail recording every decision. And you configured it all in 8 steps.
Something new? Run innerwarden scan to discover what else you can protect. Run innerwarden harden to check your score. The system adapts. So should your defenses.