Rivet Documentation

Everything you need to install, configure, and use Rivet — your AI security agent.

01 — Installation

One command. Takes about 60 seconds on a fresh server.

Requirements: Ubuntu 22.04 or 24.04, root access via SSH, minimum 256MB free RAM.

SSH into your server

Open Terminal (Mac/Linux) or PowerShell (Windows) and connect:

ssh root@your-server-ip

Run the install command

Paste your license key into this command and run it:

curl -fsSL https://rivet-security.com/install.sh | bash -s -- --key YOUR-LICENSE-KEY

That's it. The script installs Docker (if needed), pulls the Rivet engine, configures the responder, and starts everything automatically.

Open the dashboard

When installation finishes, you'll see:

✅ Rivet installed successfully!
   Dashboard: http://your-server-ip:3000
   Engine:    running
   Responder: running
   Watching:  /var/log/auth.log

   Your server is now protected.

Open http://your-server-ip:3000 in your browser.

02 — First setup (3 minutes)

After installation, do these three things to get the most out of Rivet.

Whitelist your IP

Go to Settings → Engine → Whitelist IP and add your IP address. This prevents Rivet from accidentally blocking you if you mistype your password.

Don't know your IP? Google "what is my ip" — add that address.

Set up alerts

Go to Settings → Notifications and add at least one alert channel. When Rivet blocks an attack, you'll get a notification instantly.

Easiest options:

Slack

Paste a webhook URL. Setup guide →

Discord

Paste a webhook URL. Setup guide →

Email

SMTP server details. Setup guide →

Bot token + chat ID. Setup guide →

Done — Rivet is protecting your server

That's all. Rivet monitors your SSH logs 24/7, blocks brute-force attacks automatically, and sends you alerts. You don't need to do anything else.

03 — Verify it works

Run this on your server to check that everything is running:

curl -s -H 'X-API-Key: YOUR-API-KEY' http://localhost:3000/health

You should see:

{"ok": true, "status": "running"}

Check the dashboard — go to Status. You should see:

Engine

running — Docker container active

Responder

running — blocking service active

Both must be green. If either shows "stopped", check Troubleshooting.

04 — Dashboard: Status

The main view. Shows your server's security at a glance.

Engine panel (left)

Shows the Docker container running the detection engine: container name, image version, uptime, CPU, memory, restarts. If restarts > 0, something crashed — check Troubleshooting.

Responder panel (right)

Shows the host process that executes firewall rules: PID, user (root), which log file it's watching, how many nftables rules are active, memory usage.

Stats cards

Card	What it shows
Threats blocked	Total attacks blocked in the last 24 hours
Nftables rules	How many IPs are currently blocked in the firewall
Alerts sent	How many notifications sent in the last 24 hours
Failed auth	Failed SSH login attempts in the last hour

Live SSH log stream

Real-time feed from /var/log/auth.log. Color codes:

Label	Meaning
OK	Successful login (you or your team)
WARN	Failed login attempt (possible attack)
ERR	IP blocked by Rivet
INFO	Connection event (neutral)

05 — Dashboard: Alerts

History of all security events. Each alert shows:

Column	What it means
Time	When the event happened
Type	brute-force, blocked, or suspicious
Source IP	Where the attack came from
Username	Which account was targeted (usually root)
Channel	Where the alert was sent (Slack, email, etc.)

The badge number on "Alerts" in the sidebar shows unread alerts since your last visit.

06 — Dashboard: Blocked IPs

All IPs currently blocked in your firewall. Each entry shows the IP address, when it was blocked, and how many failed attempts triggered the block.

Unblocking an IP

If you accidentally got blocked (or a client did), click the Unblock button next to the IP. The firewall rule is removed immediately.

Locked out? If you blocked yourself and can't access the dashboard: SSH from a different IP (phone hotspot, VPN, or a different server) and run:

curl -X POST -H 'X-API-Key: YOUR-KEY' http://localhost:3000/unblock/YOUR.BLOCKED.IP

07 — Dashboard: SSH Logs

Full scrolling view of your SSH authentication log. Updates every 3 seconds. Use this to see exactly who is trying to access your server and from where.

Each line shows: timestamp, source IP, username attempted, and result (success, fail, blocked).

08 — Dashboard: Settings

Notifications

Configure where Rivet sends alerts. You can enable multiple channels at once. See detailed setup guides: Slack, Discord, Email, Telegram.

Engine configuration

Setting	Default	What it does
Block threshold	14 attempts	How many failed logins before Rivet blocks the IP. Lower = more aggressive.
Auto-unblock	24 hours	Blocked IPs are automatically removed after this time. Set to 0 for permanent blocks.
Whitelist	empty	IPs that will never be blocked. Add your own IP here.

Recommendation: Keep the default threshold at 14. It catches real attacks without false positives. Only lower it if you're seeing attacks that slip through.

09 — Set up Slack alerts

Create a Slack webhook

Go to api.slack.com/messaging/webhooks → "Create an Incoming Webhook" → choose a channel (e.g. #security) → copy the webhook URL.

Paste in Rivet

Dashboard → Settings → Notifications → Slack → paste the webhook URL → click Save.

Test it

Click "Send test alert". You should see a message in your Slack channel within seconds.

10 — Set up Discord alerts

Create a Discord webhook

Server Settings → Integrations → Webhooks → "New Webhook" → choose a channel → copy the webhook URL.

Paste in Rivet

Dashboard → Settings → Notifications → Discord → paste the URL → Save.

11 — Set up Email alerts

You need an SMTP server. Gmail, Outlook, or any SMTP provider works.

Field	Example (Gmail)
SMTP Host	smtp.gmail.com
SMTP Port	587
Username	you@gmail.com
Password	App password (not your Gmail password)
From	you@gmail.com
To	alerts@yourdomain.com

Gmail users: You need an App Password, not your regular password. Go to Google Account → Security → 2-Step Verification → App passwords → generate one for "Mail".

12 — Set up Telegram alerts

Create a Telegram bot

Message @BotFather on Telegram → /newbot → follow the prompts → copy the bot token.

Get your chat ID

Message @userinfobot on Telegram → it replies with your chat ID (a number).

Paste in Rivet

Dashboard → Settings → Notifications → Telegram → paste bot token + chat ID → Save.

13 — REST API

Every request requires the X-API-Key header. Your API key was shown during installation.

Method	Endpoint	What it does
GET	/health	Check if engine is running
GET	/logs	Last 100 SSH log entries
GET	/alerts	All security alerts
GET	/blocked-ips	Currently blocked IPs
POST	/unblock/:ip	Remove an IP from block list

Examples

# Check status
curl -H 'X-API-Key: YOUR-KEY' http://localhost:3000/health

# Get blocked IPs
curl -H 'X-API-Key: YOUR-KEY' http://localhost:3000/blocked-ips

# Unblock an IP
curl -X POST -H 'X-API-Key: YOUR-KEY' http://localhost:3000/unblock/185.220.101.42

# Get alerts from last 24h
curl -H 'X-API-Key: YOUR-KEY' http://localhost:3000/alerts?period=24h

14 — Uninstall

If you need to remove Rivet from your server:

# Stop services
docker stop rivet-engine
systemctl stop rivet-responder

# Remove files
rm -rf /var/lib/rivet
rm /etc/systemd/system/rivet-responder.service

# Remove nftables rules
nft delete table inet rivet

# Remove Docker image
docker rmi rivet-engine:latest

15 — Troubleshooting

Dashboard shows blank / black screen

Open browser dev tools (F12 → Console). If you see JavaScript errors, restart the engine:

cd /var/lib/rivet && docker compose up -d --build

Engine shows "stopped"

Check Docker logs:

docker logs rivet-engine --tail 50

Common causes: port 3000 already in use, Docker out of disk space, corrupted database.

Responder shows "stopped"

systemctl status rivet-responder
journalctl -u rivet-responder --since "10 min ago"

Common cause: responder needs root. Check it runs as root.

I blocked my own IP

Option 1: SSH from a different IP (phone hotspot) and unblock via dashboard.

Option 2: From another server or connection:

curl -X POST -H 'X-API-Key: YOUR-KEY' http://YOUR-SERVER:3000/unblock/YOUR.IP

Option 3: If you have console access (Hetzner Cloud Console), log in and run:

nft delete element inet rivet blocked { YOUR.IP }

Alerts not arriving

Check Settings → click "Send test alert" for your channel. If the test works but real alerts don't, the engine might not be detecting attacks yet — wait for real traffic or simulate:

# From a DIFFERENT server, try 15 fake logins (this will trigger a block)
for i in $(seq 1 15); do ssh fake@YOUR-SERVER-IP; done

Port 3000 not accessible from outside

Your cloud provider's firewall probably blocks it. Options:

1. Open port 3000 in your provider's firewall panel (Hetzner, DigitalOcean, AWS, etc.)

2. Use SSH tunnel (more secure): ssh -L 3000:localhost:3000 user@your-server then open http://localhost:3000

3. Set up Nginx reverse proxy with SSL (recommended for production).

16 — FAQ

Does Rivet slow down my server?

No. The engine uses about 12MB RAM and 0.2% CPU. It reads logs passively — it doesn't intercept SSH connections or add latency.

What happens if Rivet crashes?

Docker automatically restarts the engine container. The responder runs as a systemd service with auto-restart. Your existing nftables rules stay active even if Rivet is down — blocks persist until you remove them.

Can I use Rivet on multiple servers?

Each license covers one server. For multiple servers, you need a license per server. Contact support for volume discounts.

Does Rivet work alongside fail2ban?

Yes, but it's not recommended. Both tools watch the same logs and block IPs, which can cause conflicts. Rivet replaces fail2ban — you can safely remove it.

Does Rivet send my data anywhere?

No. Everything runs on your server. No cloud dependency, no external APIs, no telemetry. Your SSH logs never leave your machine.

Does Rivet need internet access?

Only for the initial install (pulling Docker image) and for sending alerts to external services (Slack, Discord, email). The detection and blocking engine works fully offline.

What Linux distros are supported?

Officially Ubuntu 22.04 and 24.04. It will likely work on Debian 12+ and other systemd-based distros, but these are not tested.

Can I change the dashboard port?

Yes. Edit /var/lib/rivet/.env and change API_PORT=3000 to your preferred port, then restart: docker compose up -d

How do I update Rivet?

Run the install command again with the same license key. It pulls the latest version and preserves your configuration and database.

Need help? Email support@rivet-security.com or open an issue on GitHub.