Is Sentinel really free?

Yes. Sentinel Basic is free forever for 1 production server with no credit card required. It includes database optimization, security monitoring, and cache management.

How do I install Sentinel on my VPS?

Installation takes about 60 seconds. Run the one-line install command from your terminal, and Sentinel will set up as a systemd service that starts automatically on boot.

Does Sentinel support MySQL and PostgreSQL?

Yes. Sentinel monitors both MySQL and PostgreSQL. It analyzes slow query logs, runs EXPLAIN on queries, detects missing indexes, and can automatically apply safe index suggestions during scheduled night maintenance windows.

How does Sentinel handle security monitoring?

Sentinel integrates natively with Fail2Ban and CrowdSec. It detects brute-force attacks, manages jails, and secures SSH and web entry points automatically. It blocks over 95% of attacks before they reach your application.

What is Queen and do I need it?

Queen is Sentinel's optional central intelligence brain for managing a fleet of servers. It aggregates threat data, fix history, and ROI profiles across all your drones (servers). It's included in the Pro plan and above — the Basic free tier works fully without it.

Does Sentinel require Docker?

No. Sentinel runs as a native systemd service directly on your Linux server. No Docker, no Kubernetes, no additional infrastructure required.

What is the difference between Basic and Pro plans?

Basic is free forever for 1 server. Pro is $49/month for up to 5 servers with full autopilot and Queen Knowledge Brain. Enterprise is $149/month and adds AI Chat, AI Healer, and Cross-Fleet IP Reputation powered by Claude (BYOK).

GeneralJune 19, 20263 min read2 views

277,000 Attacks Blocked — Here's What the Data Shows

277,000 Attacks Blocked — Here's What the Data Shows Category: Threat Intelligence Tags: threat intelligence, fail2ban, attack data, VPS security --- This morning, Sentinel's audit dashboard t...

FixFlex Admin

Founder @ FixFlex LTD, West London

277,000 Attacks Blocked — Here's What the Data Shows

303,970 Attacks Blocked — Here's What the Data Shows

Category: Threat Intelligence
Tags: threat intelligence, fail2ban, attack data, VPS security

This morning, Sentinel's audit dashboard ticked over to 303,970 total blocked attacks (single server lifetime counter).

That's not a crisis. That's Tuesday.

If your Linux VPS is exposed to the internet, this is baseline background radiation. The question isn't whether you're being attacked — you are. The question is whether you can see it happening.

The Raw Numbers

303,970 total attacks blocked
5 primary origin countries
99.2% block success rate
7,002 peak single day
~450 average daily per server

These aren't alarm-bell numbers. They're normal. Here's what they actually mean.

Where Attacks Come From

The geographic breakdown was predictable but revealing:

China (42%) – Bulk SSH brute-force attempts, mostly automated scripts hammering port 22.
Russia (31%) – Similar pattern, but with more variation in target ports (MySQL, Redis, and HTTP admin panels).
United States (12%) – Almost entirely commercial VPN exit nodes and hosting providers. Attackers renting "clean" infrastructure to bypass IP reputation filters.
Germany (9%) – Same as US, plus a surprising number of compromised IoT devices.
Netherlands (6%) – Overwhelmingly Tor exit nodes and rented datacenter IPs.

The key insight? Shared blocklists are reactive, not proactive. By the time an IP shows up in CrowdSec or Fail2Ban community lists, attackers have already cycled to fresh infrastructure.

The Daily Attack Pattern

Sentinel's hourly logs show two clear attack windows:

02:00–05:00 UTC – Peak automated scanning. When your sysadmin is asleep.
14:00–17:00 UTC – Correlates with Southeast Asian business hours (likely cron jobs).

If your SSH keys aren’t locked down or your Fail2Ban settings are too lenient, the problem surfaces at 3am — not during your working hours.

The 0.8% That Got Through

Of the ~2,200 attempts that bypassed perimeter defenses:

78% hit application-layer rate limits (e.g., WordPress login throttling)
21% reached login forms but failed authentication
0.1% (3 incidents) triggered high-severity alerts — all caught by Sentinel’s real-time monitoring

The audit trail showed exactly why these slipped through:

Overly generous maxretry settings (e.g., allowing 10 attempts before banning)
IP rotation within a subnet (avoiding single-IP thresholds until we added CIDR blocks)

What This Means for Your Server

Blocking 303,970 attacks is table stakes. The real value is visibility:

Know which 303,970
Know from where
Know when and how

Without this data, you’re either:

Flying blind (assuming "no alerts = no attacks"), or
Overreacting (e.g., banning entire countries unnecessarily)

Sentinel’s Audit dashboard surfaces this in real time. You’ll see:

Emerging attack patterns before they escalate
Whether your defenses are properly tuned
A clean audit trail for clients or compliance

How Sentinel Handles It

Here’s what happens under the hood when an attack hits a Sentinel-monitored server:

Real-time detection – Fail2Ban + CrowdSec + custom rules.
Automatic subnet blocking – If an IP from /24 is malicious, the whole range gets banned.
Cross-fleet sync – Blocked IPs are shared with other Sentinel servers via Queen.
AI analysis – Claude AI reviews logs to suggest tighter rules.

Try It Yourself

Basic tier: Free for 1 server (install in 60 seconds)
Pro tier: $49/month for 5 servers (adds automated DB optimizations)
Enterprise: $149/month for 10 servers (AI Chat, fleet-wide threat intel)

This isn’t about fearmongering. It’s about acknowledging reality — and having the tools to handle it.

Footnotes:
- Data source: Sentinel Audit dashboard, live production servers - Last updated: June 2026
- servers monitored: 3 production servers - OS breakdown: 100% Ubuntu 24.04 across all 3 servers (no Debian/RHEL)
- Full dataset available to Enterprise users via Queen API