¶ System Architecture
Here is the Defend-O-Tron system architecture based on the protection flow. Most of the supporting components run as isolated Podman containers — started, stopped, updated, and reported on by the device's do-stacks tool. The core defense components run directly in the host OS for performance and direct visibility into the data path.
¶ Defense Components (installed directly in the OS)
- Crowdsec Firewall Bouncer (NFT)
- Suricata
- NFTables and rules
- NFT Logger Ulogd2
- RSyslog
¶ Related Pages
- Protection Test — see this architecture in action against a real port-scan.
- Honeypot — the NFT rules that catch port scanners and brute-force attempts.
- Honeypot Internals — packet-flow diagrams and the NF Hooks reference.
- External Log Ingress — how the syslog architecture feeds CrowdSec.
- Compliance Reporting — how the audit subsystem captures defense activity into tamper-evident evidence.