Home

Red team infrastructure tracker and C2 redirector -- a modern alternative to RedWarden.

InfraGuard sits between the internet and your C2 teamserver, validating every inbound request against your malleable C2 profile and blocking anything that doesn't conform. Scanners, bots, and blue team probes get redirected to a decoy site while legitimate beacon traffic passes through to your teamserver.

Architecture

Features

• Multi-domain proxying -- proxy multiple domains simultaneously, each with independent C2 profiles, upstreams, and rules
• C2 profile validation -- parse and enforce Cobalt Strike malleable profiles and Mythic HTTPX profiles as redirector rules
• Multi-protocol listeners -- HTTP/HTTPS, DNS, MQTT, and WebSocket listeners running simultaneously with shared IP intelligence and event tracking
• Scoring-based filter pipeline -- 7 filters (IP, bot, header, DNS, geo, profile, replay) each contribute a 0.0-1.0 score; configurable threshold determines block/allow
• Anti-bot / anti-crawling -- 40+ known scanner/bot User-Agent patterns, header anomaly detection
• IP intelligence -- built-in CIDR blocklists for 19 security vendor ranges (Shodan, Censys, Rapid7, etc.), GeoIP filtering, reverse DNS keyword matching
• Threat intel feeds -- auto-update blocklists from public sources (abuse.ch, Emerging Threats, Spamhaus DROP, Binary Defense) with configurable refresh interval and disk caching
• Rule ingestion -- import IP blocklists and User-Agent patterns from existing .htaccess and robots.txt files
• Dynamic IP blocking -- block IPs outside whitelisted ranges; auto-whitelist IPs after N valid C2 requests
• Content delivery routes -- serve payloads, decoys, and static files at specific paths via PwnDrop, local filesystem, or HTTP proxy backends, with optional conditional delivery (real content to targets, decoys to scanners)
• Drop actions -- redirect, TCP reset, proxy to decoy site, or tarpit (slow-drip response to waste scanner time)
• Web dashboard -- real-time SPA with login page, live request feed, domain stats, top blocked IPs, authenticated WebSocket event streaming
• Terminal UI -- Textual-based TUI with login screen, live API polling, color-coded request log
• SIEM integration -- built-in plugins for Elasticsearch, Wazuh, and Syslog (CEF/JSON) with batched forwarding
• Webhook alerts -- built-in plugins for Discord (embeds), Slack (Block Kit), and generic webhook (Rocket.Chat, Mattermost, Teams)
• Plugin system -- event-driven architecture with on_event hooks, per-plugin config, event filtering (only_blocked, min_score, domain include/exclude)
• Backend config generation -- generate Nginx, Caddy, or Apache configs with full operator customization (TLS, IP filtering, header checks, aliases, custom headers)
• Edge proxies -- lightweight Cloudflare Worker and AWS Lambda for domain fronting through CDN infrastructure, edge country blocking, and host rewriting
• Docker deployment -- Dockerfile + docker-compose with optional Let's Encrypt, GeoIP downloader, and PwnDrop payload server
• GeoIP support -- all three GeoLite2 databases (City, ASN, Country) with Docker auto-download
• Self-signed TLS fallback -- auto-generates certificates when configured paths don't exist
• Environment variable support -- .env file auto-loaded; ${VAR} syntax works in all config values and keys
• Configurable health endpoint -- change the health check path to avoid fingerprinting
• Structured logging -- JSON-formatted structured logs via structlog
• Tracking & persistence -- SQLite with WAL mode for request logging, statistics, and node registry