Linux servers are under nonstop pressure from brute-force attacks, scanners, botnets, and automated exploitation attempts. A basic firewall is no longer enough — you need fast automated blocking, clear rule control, and threat intelligence that helps you stop attackers earlier.
We’re excited to announce Malware.Expert Firewall (MEF) — a free, ultra-lightweight Linux firewall and automatic IP ban engine. MEF is a simple, modern alternative to UFW, CSF, and Fail2Ban, combining persistent firewall management with dynamic log-based auto-banning and optional cloud-driven protection.
Get started:
MEF Firewall Product Page
GitHub Repository
What Makes MEF Different?
MEF is built for real operations: predictable behavior, minimal overhead, and fast reaction to abuse — without a heavy stack of dependencies. It’s designed and tested on modern Linux systems and works with distributions providing nftables (preferred) or iptables (fallback).
- Persistent firewall management with a clear rules format (
/etc/mef/mef.rules) - Dynamic Auto-Ban engine (mefdaemon) monitoring
systemd-journald(journalctl) and/or log files - Nftables-native design with iptables fallback where needed
- IPv4 + IPv6 dual-stack readiness
- Ultra-lightweight: no Python/Perl stack, minimal CPU/memory footprint
Cloud Protection (Community Cloud Intelligence)
MEF includes optional Community Cloud Protection — a cloud-driven threat lookup feature that helps block known malicious IPs faster. When enabled, MEF can apply cloud-backed reputation decisions locally, helping you stay ahead of rapidly rotating attacker infrastructure.
- Optional cloud threat lookups (
community_cloud_protection) for known-bad IP blocking - Port-scoped control (e.g., protect only SSH/HTTPS, or all ports)
- Fast lookups with caching (positive/negative/error TTLs) to keep overhead low
Multi-Layer Defense Built In
MEF doesn’t rely on a single signal. It supports multiple layers that work together:
- Log-based auto-banning (Fail2Ban-style) for services like SSH, mail, web, and more
- RBL/DNSBL enforcement: proactively block known malicious IPs via DNS-based lists before abuse escalates
- Port Scan Detection (PS): detect scanning behavior by tracking unique destination ports over time
- Flexible allow/deny lists with automatic reload for controlled access management
Modular by Design: Use What You Need
MEF is split into two independent services. You can run them together or separately depending on your environment:
- mef: persistent firewall rules service (runs at boot, loads policy from
/etc/mef/mef.rules) - mefdaemon: continuous auto-ban service (monitors journal/log files, enforces dynamic bans)
This makes MEF useful both as a complete firewall solution and as a modern, lightweight Fail2Ban replacement.
Safe Deployment: Built to Prevent Lockouts
MEF is designed to be safe to roll out. Both services are disabled by default to prevent accidental lockout during installation, and rule application supports a rollback-style confirmation flow.
Who Is MEF For?
- Sysadmins and developers managing public Linux servers
- Hosting providers fighting constant brute-force and scanning traffic
- Cloud infrastructure teams wanting automated protection with optional cloud intelligence
- Anyone who wants strong security with minimal maintenance and overhead
Get MEF Firewall Today
If you want a modern, lightweight firewall with auto-ban, RBL/DNSBL, port scan detection, and optional cloud protection, MEF is built for you.
Links:
MEF Firewall Overview
GitHub Repo