CSF Firewall Integration

Pre-emptive blocking & attack reporting · Back to API Docs

Overview

Integrate ConfigServer Security & Firewall (CSF) with SikkerAPI for two-way threat intelligence: pre-emptively block known suspicious IPs and automatically report attacks detected on your server.

Unlike other blocklist providers, SikkerAPI's blocklist is powered by first-party honeypot data across 16 protocols, with advanced filtering by country, ASN, protocol, and severity.

Requirements

•CSF installed and running on your server
•curl installed (for attack reporting)
•A SikkerAPI API key — get one free if you don't have one yet

Two-way integration

SikkerAPI Blocklist
        |
        v
CSF blocks known bad IPs       (pull)
        +
CSF detects new attack
        |
        v
Reports to SikkerAPI            (push)
        |
        v
Contributes to threat database

Blocklist Setup

Add one line to /etc/csf/csf.blocklists to pre-emptively block observed IPs. CSF will refresh the list automatically at the interval you specify.

Configuration format

Field	Value	Description
Name	SIKKERAPI	Identifier for this blocklist
Interval	86400	Refresh interval in seconds (86400 = daily)
Max IPs	10000	Maximum IPs to import (capped by tier)
URL	https://...	SikkerAPI blacklist endpoint with your key

Steps

•Add the line to /etc/csf/csf.blocklists
•Restart CSF and LFD
•CSF will immediately fetch and apply the blocklist

csf.blocklists

# SikkerAPI threat intelligence blocklist
SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=70

Restart CSF

$ csf -r
$ lfd -r

Verify blocklist loaded

$ grep SIKKERAPI /var/log/lfd.log
SIKKERAPI: loaded 8432 entries

Attack Reporting

When CSF blocks an IP, it can automatically report the attack to SikkerAPI using the BLOCK_REPORT feature. This contributes to the community threat database.

Step 1: Download the script

Download the report script to your server.

Step 2: Add your API key

Save your API key to a file that the script reads.

Step 3: Configure CSF

Set the BLOCK_REPORT path in /etc/csf/csf.conf.

Trigger mapping

CSF Trigger	Category	Protocol
LF_SSHD	brute_force	ssh
LF_FTPD	brute_force	ftp
LF_SMTPAUTH	brute_force	smtp
LF_HTACCESS	brute_force	http
LF_MODSEC	web_exploit	http
LF_DISTATTACK	ddos	—
CT_LIMIT	port_scan	—

See Report API docs for all 16 categories.

Download script

$ sudo curl -o /usr/local/bin/sikkerapi-csf-report \
    "https://sikkerapi.com/csf/sikkerapi-csf-report.sh"
$ sudo chmod +x /usr/local/bin/sikkerapi-csf-report

Save API key

$ echo "sk_free_..." | sudo tee /etc/csf/sikkerapi.key
$ sudo chmod 600 /etc/csf/sikkerapi.key

csf.conf

BLOCK_REPORT = "/usr/local/bin/sikkerapi-csf-report"

Restart CSF

$ csf -r

Advanced Filtering

Customize your blocklist URL with query parameters to filter by country, protocol, severity, ASN, and IP version. All parameters are optional.

Parameter	Example	Description
scoreMinimum	70	Minimum confidence level (1-100). Default: 50.
limit	5000	Max IPs to return. Capped by tier.
onlyCountries	CN,RU,IR	Only include IPs from these countries.
exceptCountries	US,GB,DE	Exclude IPs from these countries.
protocols	ssh,http	Only IPs with activity on these protocols.
minSeverity	high	Minimum behavior severity (critical, high, medium, low).
ipVersion	4	IPv4 only (4), IPv6 only (6), or both (mixed).
onlyAsn	AS12345	Only include IPs from these ASNs.
exceptAsn	AS67890	Exclude IPs from these ASNs.

See the Blacklist API docs for full parameter reference and response format.

SSH attacks only, score 80+

SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=80&protocols=ssh

High severity, exclude US/EU

SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&minSeverity=high&exceptCountries=US,GB,DE,FR,NL

IPv4 only, top 5000

SIKKERAPI|86400|5000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=70&ipVersion=4&limit=5000

Rate Limits

The blacklist endpoint has its own daily quota, separate from your lookup quota. Daily refreshes (86400s interval) stay well within limits for all tiers.

Tier	Blacklist IPs/Day
Free	5,000
Basic	50,000
Small Business	75,000
Medium Business	150,000
Large Business	350,000

Report submissions use your daily report quota. If you hit the limit, CSF still blocks the IP locally — only the report to SikkerAPI is skipped.

Tier	Reports/Day
Free	1,000
Basic	7,000
Small Business	14,000
Medium Business	30,000
Large Business	100,000

Refresh intervals

# Recommended intervals:
86400   = daily (1 blocklist request/day)
43200   = twice daily
3600    = hourly (use higher tiers)

# CSF format:
# NAME|INTERVAL|MAX_IPS|URL

Verification & Troubleshooting

Verify blocklist

•Check LFD logs for blocklist load messages
•Verify blocked IPs in iptables

Verify reporting

•Check syslog for sikkerapi messages
•Test the script manually with a known IP

Common issues

•Blocklist empty: Verify your API key starts with sk_ and is enabled in your dashboard
•Reports not appearing: Check script permissions and that /etc/csf/sikkerapi.key exists
•CSF not reloading: You must restart both CSF and LFD after editing blocklists

Check blocklist in logs

$ grep SIKKERAPI /var/log/lfd.log
SIKKERAPI: loaded 8432 entries

Check iptables

$ csf -g 203.0.113.42
Chain: BLOCKLIST, IP: 203.0.113.42, Match: SIKKERAPI

Check report logs

$ grep sikkerapi /var/log/messages
sikkerapi: Reported 198.51.100.17 (brute_force/ssh) via CSF trigger LF_SSHD

Test script manually

$ /usr/local/bin/sikkerapi-csf-report \
    "192.0.2.1" "" "" "LF_SSHD" ""
$ grep sikkerapi /var/log/messages
sikkerapi: Reported 192.0.2.1 (brute_force/ssh) via CSF trigger LF_SSHD

Overview

Integrate ConfigServer Security & Firewall (CSF) with SikkerAPI for two-way threat intelligence: pre-emptively block known suspicious IPs and automatically report attacks detected on your server.

Unlike other blocklist providers, SikkerAPI's blocklist is powered by first-party honeypot data across 16 protocols, with advanced filtering by country, ASN, protocol, and severity.

Requirements

•CSF installed and running on your server
•curl installed (for attack reporting)
•A SikkerAPI API key — get one free if you don't have one yet

Two-way integration

SikkerAPI Blocklist
        |
        v
CSF blocks known bad IPs       (pull)
        +
CSF detects new attack
        |
        v
Reports to SikkerAPI            (push)
        |
        v
Contributes to threat database

Blocklist Setup

Add one line to /etc/csf/csf.blocklists to pre-emptively block observed IPs. CSF will refresh the list automatically at the interval you specify.

Configuration format

Field	Value	Description
Name	SIKKERAPI	Identifier for this blocklist
Interval	86400	Refresh interval in seconds (86400 = daily)
Max IPs	10000	Maximum IPs to import (capped by tier)
URL	https://...	SikkerAPI blacklist endpoint with your key

Steps

•Add the line to /etc/csf/csf.blocklists
•Restart CSF and LFD
•CSF will immediately fetch and apply the blocklist

csf.blocklists

# SikkerAPI threat intelligence blocklist
SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=70

Restart CSF

$ csf -r
$ lfd -r

Verify blocklist loaded

$ grep SIKKERAPI /var/log/lfd.log
SIKKERAPI: loaded 8432 entries

Attack Reporting

When CSF blocks an IP, it can automatically report the attack to SikkerAPI using the BLOCK_REPORT feature. This contributes to the community threat database.

Step 1: Download the script

Download the report script to your server.

Step 2: Add your API key

Save your API key to a file that the script reads.

Step 3: Configure CSF

Set the BLOCK_REPORT path in /etc/csf/csf.conf.

Trigger mapping

CSF Trigger	Category	Protocol
LF_SSHD	brute_force	ssh
LF_FTPD	brute_force	ftp
LF_SMTPAUTH	brute_force	smtp
LF_HTACCESS	brute_force	http
LF_MODSEC	web_exploit	http
LF_DISTATTACK	ddos	—
CT_LIMIT	port_scan	—

See Report API docs for all 16 categories.

Download script

$ sudo curl -o /usr/local/bin/sikkerapi-csf-report \
    "https://sikkerapi.com/csf/sikkerapi-csf-report.sh"
$ sudo chmod +x /usr/local/bin/sikkerapi-csf-report

Save API key

$ echo "sk_free_..." | sudo tee /etc/csf/sikkerapi.key
$ sudo chmod 600 /etc/csf/sikkerapi.key

csf.conf

BLOCK_REPORT = "/usr/local/bin/sikkerapi-csf-report"

Restart CSF

$ csf -r

Advanced Filtering

Customize your blocklist URL with query parameters to filter by country, protocol, severity, ASN, and IP version. All parameters are optional.

Parameter	Example	Description
scoreMinimum	70	Minimum confidence level (1-100). Default: 50.
limit	5000	Max IPs to return. Capped by tier.
onlyCountries	CN,RU,IR	Only include IPs from these countries.
exceptCountries	US,GB,DE	Exclude IPs from these countries.
protocols	ssh,http	Only IPs with activity on these protocols.
minSeverity	high	Minimum behavior severity (critical, high, medium, low).
ipVersion	4	IPv4 only (4), IPv6 only (6), or both (mixed).
onlyAsn	AS12345	Only include IPs from these ASNs.
exceptAsn	AS67890	Exclude IPs from these ASNs.

See the Blacklist API docs for full parameter reference and response format.

SSH attacks only, score 80+

SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=80&protocols=ssh

High severity, exclude US/EU

SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&minSeverity=high&exceptCountries=US,GB,DE,FR,NL

IPv4 only, top 5000

SIKKERAPI|86400|5000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=70&ipVersion=4&limit=5000

Rate Limits

The blacklist endpoint has its own daily quota, separate from your lookup quota. Daily refreshes (86400s interval) stay well within limits for all tiers.

Tier	Blacklist IPs/Day
Free	5,000
Basic	50,000
Small Business	75,000
Medium Business	150,000
Large Business	350,000

Report submissions use your daily report quota. If you hit the limit, CSF still blocks the IP locally — only the report to SikkerAPI is skipped.

Tier	Reports/Day
Free	1,000
Basic	7,000
Small Business	14,000
Medium Business	30,000
Large Business	100,000

Refresh intervals

# Recommended intervals:
86400   = daily (1 blocklist request/day)
43200   = twice daily
3600    = hourly (use higher tiers)

# CSF format:
# NAME|INTERVAL|MAX_IPS|URL

Verification & Troubleshooting

Verify blocklist

•Check LFD logs for blocklist load messages
•Verify blocked IPs in iptables

Verify reporting

•Check syslog for sikkerapi messages
•Test the script manually with a known IP

Common issues

•Blocklist empty: Verify your API key starts with sk_ and is enabled in your dashboard
•Reports not appearing: Check script permissions and that /etc/csf/sikkerapi.key exists
•CSF not reloading: You must restart both CSF and LFD after editing blocklists

Check blocklist in logs

$ grep SIKKERAPI /var/log/lfd.log
SIKKERAPI: loaded 8432 entries

Check iptables

$ csf -g 203.0.113.42
Chain: BLOCKLIST, IP: 203.0.113.42, Match: SIKKERAPI

Check report logs

$ grep sikkerapi /var/log/messages
sikkerapi: Reported 198.51.100.17 (brute_force/ssh) via CSF trigger LF_SSHD

Test script manually

$ /usr/local/bin/sikkerapi-csf-report \
    "192.0.2.1" "" "" "LF_SSHD" ""
$ grep sikkerapi /var/log/messages
sikkerapi: Reported 192.0.2.1 (brute_force/ssh) via CSF trigger LF_SSHD