If you've ever hardened a fresh Linux server, you know the drill:
- lock down SSH
- baseline firewall rules
- configure fail2ban
- add honeypot/tripwire signals
- harden kernel/sysctl settings
- keep the setup reproducible across machines
Most teams do this with scattered shell snippets, old runbooks, and memory.
That works—until you need consistency, speed, and repeatability.
So I built WatchClaw.
GitHub: https://github.com/kashifeqbal/watchclaw
curl -fsSL https://raw.githubusercontent.com/kashifeqbal/watchclaw/main/install.sh | bash
What is WatchClaw?
WatchClaw is a modular Linux security hardening toolkit.
It turns a fresh VPS into a hardened, monitored, self-defending system in minutes.
At a high level, it combines:
- baseline hardening (SSH, firewall, fail2ban, kernel)
- deception + detection (Cowrie honeypot + canary tripwires)
- threat intelligence (import/export feeds + cross-node sharing)
- plain-English reporting and alerting
CLI:
watchclaw
Example output:
SYSTEM HEALTH: OK
SECURITY STATUS: LOW
Risk Meaning: Normal background noise
Action Right Now: No action needed
Active Threat Score (last 30m): 23.0
Top Offender (last 30m): 203.0.113.42 (18.0 in 30m)
Modes
WatchClaw supports two operating modes:
- Standalone: pure bash + cron workflows, no agent dependency
- With OpenClaw Agents: adds AI-powered analysis and richer automation workflows
Design Goals
I designed WatchClaw to be:
-
Opinionated, but transparent
- sensible defaults
- plain shell under the hood
- easy to inspect and customize
-
Modular
- enable components independently
- avoid all-or-nothing hardening scripts
-
Operationally practical
- immediate hardening value
- post-change service health checks
- human-readable reports
Current Modules
WatchClaw currently ships with:
-
ssh-harden— moves SSH off port 22, disables password auth, key-only access -
ufw-baseline— minimal firewall rules, deny-all default -
fail2ban— auto-ban repeated auth failures -
cowrie— SSH honeypot that catches and scores attackers -
kernel— 29 sysctl hardening settings (SYN flood, ASLR, anti-spoofing) -
canary— fake sensitive files that alert on access (tripwires) -
threat-feed— import/export IP blocklists -
sync— share threat data across multiple nodes
Together, these cover baseline hardening, lightweight deception, and cross-node threat coordination.
What You Get
Recent updates made WatchClaw significantly more production-ready:
- one-command installer (
install.sh) with--standalone,--with-agents,--modules, and--dry-run - score-based ban policy with escalation:
- score ≥25 → 24h ban
- score ≥75 → 7d ban
- score ≥150 → permanent ban
- instant ban for successful honeypot login attempts
- rolling threat scoring + score decay + stale threat pruning
- IP enrichment (ASN/geo/reputation cache)
- plain-English posture reports for quick operator decisions
- exportable blocklists and sync across nodes
Why Canary Tokens Matter
Hardening reduces attack surface.
Canaries improve detection confidence.
WatchClaw's canary layer is intentionally simple: if something touches a file that should never be touched, that signal should be immediate and obvious.
This is less about flashy threat intelligence and more about reducing time-to-awareness.
Real Numbers from a Real Server
WatchClaw isn't theoretical. It's been running on a $14/month Contabo VPS for weeks. In one 24-hour period: 87 unique attacker IPs, 281 honeypot login attempts, 1,052 commands executed in the honeypot, 10 tunnel attempts, and 67 IPs auto-banned. Zero breaches on the real SSH port.
Why Another Security Tool?
Because many teams don't need a heavyweight platform to improve security.
They need:
- reliable baseline hardening
- clear, reversible scripts
- enough detection + response to avoid blind spots
- a system they can run and understand without a SOC
WatchClaw is built for that middle ground.
Roadmap (Near Term)
- install validation on fresh VPS images
- improved drift detection and rollback
- richer feed quality controls and trust scoring
- public threat blocklist feed (
watchclaw-threatsrepo)
Final Thought
Security maturity rarely comes from one dramatic upgrade.
It comes from repeatable controls, fast feedback loops, and steady iteration.
That's what WatchClaw is for.
If you want to review or contribute, check the repo and open an issue or PR:
Top comments (0)