Introducing SikkerGuard — Automatic Firewall Protection in a Docker Container

We just shipped SikkerGuard — a Docker container that pulls known malicious IPs from SikkerAPI and blocks them at the kernel level using iptables and ipset. One container, one API key, zero ongoing maintenance.

If you run a Linux server, you can now have threat-intelligence-powered firewall blocking running in under 60 seconds:

services:
  sikkerguard:
    image: sikkerapi/guard:latest
    network_mode: host
    cap_add:
      - NET_ADMIN
      - SYSLOG
    devices:
      - /dev/kmsg:/dev/kmsg
    env_file:
      - .env
    restart: unless-stopped

docker compose up -d

That's the entire setup. SikkerGuard handles everything else: pulling the blacklist, creating ipset sets, adding iptables rules, monitoring blocked connections, reporting back to SikkerAPI, and cleaning up when you stop it.

What Problem This Solves

We already had integration guides for iptables/ipset and Nginx — shell scripts plus cron jobs that fetch the blacklist API and apply rules. They work, but they're manual. You write a cron entry, manage persistence across reboots, handle error cases in bash, and hope nothing breaks at 3 AM.

SikkerGuard replaces that entire workflow with a single Docker container that does the same thing — plus safety checks, automatic rollback, real-time block logging, and reporting — without you writing or maintaining any scripts.

The sikker CLI is another option for scripted blocking, but it's a building block, not a daemon. SikkerGuard is the "set it and forget it" version.

How It Works

SikkerGuard runs a continuous loop with three phases:

1. Pull

Every pull interval (default: 24 hours), SikkerGuard fetches your blacklist from the Blacklist API:

GET /v1/key/blacklist?plaintext=true&scoreMinimum=50

The scoreMinimum is configurable — set SIKKER_SCORE_MIN=80 to only block high-confidence threats, or lower it to cast a wider net. IPs are ranked by confidence score, which combines observed honeypot attacks with community reported incidents.

The response is validated before anything touches your firewall:

• Empty responses are rejected (API error, not "no threats")
• Sudden list growth beyond 2x the previous size is rejected
• RFC1918 addresses (private ranges) are stripped
• Anything on the safety whitelist is removed

2. Apply

Validated IPs are loaded into a staging ipset and atomically swapped with the live set. There is no window where rules are partially applied — the old blocklist stays active until the new one is fully loaded.

After the swap, SikkerGuard runs a connectivity self-test:

1. Ping the default gateway
2. Resolve DNS
3. Reach the SikkerAPI endpoint

If any test fails, the rules are rolled back immediately. You never lose connectivity because of a bad blocklist update.

3. Report

Every 30 minutes (configurable), SikkerGuard reads blocked connection data from the kernel log, maps destination ports to protocol names, and submits the top blocked IPs back to SikkerAPI via bulk report:

18:35:00 INFO  Reported 247 blocked IPs (ssh: 89, http: 63, telnet: 41, ...)

This creates a feedback loop: the IPs SikkerGuard blocks on your server contribute data that improves the threat intelligence for everyone else using SikkerAPI. If reporting is not something you want, set SIKKER_REPORT_ENABLED=false.

Safety Design

The number one concern with automated firewall tools is locking yourself out. SikkerGuard addresses this at multiple levels.

Auto-whitelist

On startup, SikkerGuard detects and permanently whitelists:

• Your default gateway (parsed from ip route)
• All DNS servers (parsed from /etc/resolv.conf)
• Your host's own IP addresses (parsed from ip addr)
• LAN subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
• Loopback: 127.0.0.0/8, ::1
• The SikkerAPI endpoint IP

These can never be blocked, even if they somehow appear on the blacklist. You can add your own IPs with SIKKER_WHITELIST=203.0.113.10,198.51.100.0/24.

Connectivity rollback

After every rule update, the self-test verifies gateway reachability, DNS resolution, and API connectivity. If any check fails, the previous ruleset is restored within seconds.

Clean shutdown

On docker compose down or SIGTERM, SikkerGuard removes its iptables rules and destroys its ipset sets. Your firewall goes back to exactly how it was before SikkerGuard started. No leftover rules, no orphaned sets.

Dry-run mode

Not sure if you're ready to block traffic? Set SIKKER_DRY_RUN=true. SikkerGuard will fetch the blacklist, run all safety checks, and log what it would block — without touching your firewall.

Real-Time Block Logging

SikkerGuard doesn't just block traffic silently. It reads the kernel log in real time and reports what's being blocked:

18:05:31 INFO  BLOCKED 185.16.39.79:23 (telnet) proto=TCP x47
18:05:31 INFO  BLOCKED 18.218.118.203:1433 (mssql) proto=TCP x14
18:05:41 INFO  BLOCKED 94.26.88.32:22 (ssh) proto=TCP x6

The port-to-protocol mapping covers all standard services — SSH, HTTP, MySQL, PostgreSQL, Redis, SMTP, MongoDB, Docker, and more. Custom mappings are supported via SIKKER_PORT_MAP for non-standard ports.

Health Endpoint

SikkerGuard exposes a health check on localhost (not externally accessible):

$ curl localhost:8080/healthz
OK

$ curl localhost:8080/status
{
  "status": "active",
  "blockedIps": 8774,
  "lastPull": "2026-02-24T10:30:00Z",
  "lastReport": "2026-02-24T10:15:00Z",
  "dryRun": false,
  "uptime": "2h 15m"
}

The health check integrates with Docker's HEALTHCHECK directive, so container orchestrators (Compose, Kubernetes, Portainer) automatically detect when SikkerGuard is healthy.

How It Compares to Our Other Integrations

SikkerGuard isn't replacing our existing tools — it's filling a gap between them.

**Fail2Ban** is reactive. It watches your logs and bans IPs after they attack. SikkerGuard is proactive — it blocks known attackers before they connect. Use both for defense in depth: Fail2Ban catches new threats your server encounters, SikkerGuard blocks the ones our honeypot network already knows about.

**iptables/ipset scripts and Nginx geo blocking** are the same underlying mechanism, but you manage the cron job, error handling, and persistence yourself. SikkerGuard wraps all of that in a container with safety checks, rollback, and monitoring built in.

**CSF Firewall** combines blocking and reporting but is specific to the CSF ecosystem. SikkerGuard works on any Linux server with Docker.

**sikker CLI** is a general-purpose tool for querying the API. You can build blocking scripts with it, but SikkerGuard is purpose-built for the specific task of continuous firewall management.

Works on the Free Tier

SikkerGuard works with the free SikkerAPI plan. No credit card, no paid subscription required. The free tier includes blacklist access with up to 5,000 IPs per pull and 1,000 reports per day — enough for most single-server deployments.

Need higher limits or more IPs? Paid plans start at $7/month.

Get Started

1. Create a free SikkerAPI account and generate an API key
2. Follow the SikkerGuard setup guide — full configuration reference, safety details, and troubleshooting
3. docker compose up -d

Full documentation: sikkerapi.com/docs/sikkerguard

If you're already using our Fail2Ban or CSF integration to report attacks, SikkerGuard complements them by adding pre-emptive blocking from the same threat intelligence database. If you're maintaining manual iptables scripts with our Blacklist API, SikkerGuard replaces those scripts entirely.