CSF Firewall Integration

Integration

Two-way (pull + push)

Authentication

Bearer sk_...

Requirements

CSF/LFD, curl

Data

GETblocklist + POSTreports

← Back to Overview

Overview

Integrate ConfigServer Security & Firewall with SikkerAPI for two-way threat intelligence. Pull the community blacklist to pre-emptively block known malicious IPs via csf.blocklists, and automatically report attacks detected by CSF back to the threat database via BLOCK_REPORT. Unlike other blocklist providers, SikkerAPI is powered by first-party honeypot data across 16 protocols with advanced filtering by country, ASN, protocol, and severity.

Pull — blocklist feed

SikkerAPI blacklist→csf.blocklists→CSF imports IPs→iptables DROP

Push — attack reporting

CSF blocks an IP→BLOCK_REPORT fires→sikkerapi-csf-report→POST /v1/key/report→Threat database

Blocklist Setup

Add one line to /etc/csf/csf.blocklists to pre-emptively block known malicious IPs. CSF refreshes the list automatically at the interval you specify. The plaintext=true parameter returns one IP per line — the format CSF expects. See the Blacklist API for the full endpoint reference.

csf.blocklists format

NamestringIdentifier for this blocklist (e.g. SIKKERAPI).

IntervalintRefresh interval in seconds. 86400 = daily (recommended).

Max IPsintMaximum IPs to import. Capped by your tier.

URLstringSikkerAPI blacklist endpoint with your key and filters.

1Add blocklist entry

# Add to /etc/csf/csf.blocklists SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=70

2Restart CSF and LFD

$ csf -r $ lfd -r

3Verify blocklist loaded

$ grep SIKKERAPI /var/log/lfd.log SIKKERAPI: loaded 8432 entries

Attack Reporting

When CSF blocks an IP, it can automatically report the attack to SikkerAPI using the BLOCK_REPORT feature. The report script maps CSF triggers (like LF_SSHD) to SikkerAPI categories and submits them via the Report API. Only the IP, category, and protocol are sent — no log data leaves your server.

1Download the report script

$ sudo curl -o /usr/local/bin/sikkerapi-csf-report \ "https://sikkerapi.com/csf/sikkerapi-csf-report.sh" $ sudo chmod +x /usr/local/bin/sikkerapi-csf-report

2Save your API key

$ echo "sk_free_..." | sudo tee /etc/csf/sikkerapi.key $ sudo chmod 600 /etc/csf/sikkerapi.key

3Configure BLOCK_REPORT in csf.conf

# In /etc/csf/csf.conf BLOCK_REPORT = "/usr/local/bin/sikkerapi-csf-report"

4Restart CSF

$ csf -r

Script arguments (passed by CSF automatically)

$1stringIP address that was blocked.

$2stringPorts involved.

$3stringDirection (in/out/inout).

$4stringCSF trigger name (e.g. LF_SSHD). Used for category mapping.

$5stringLog entries (not sent to API).

Trigger Mappings

The report script automatically maps CSF trigger names to SikkerAPI categories and protocols. Unrecognized triggers default to other with no protocol.

CSF trigger → category → protocol

LF_SSHDbrute_forcessh

LF_SSHD_PERMbrute_forcessh

LF_FTPDbrute_forceftp

LF_SMTPAUTHbrute_forcesmtp

LF_POP3Dbrute_forcepop3

LF_IMAPDbrute_forceimap

LF_HTACCESSbrute_forcehttp

LF_MODSECweb_exploithttp

LF_DIRECTADMINbrute_forcehttp

LF_CPANELbrute_forcehttp

LF_DISTATTACKddos—

LF_DISTFTPbrute_forceftp

LF_DISTSMTPspamsmtp

CT_LIMITport_scan—

LF_EXIMSYNTAXspamsmtp

LF_MYSQLbrute_forcemysql

Advanced Filtering

Customize your blocklist URL with query parameters to filter by country, protocol, severity, ASN, and IP version. All parameters are optional. See the Blacklist API for the full parameter reference and response format.

Blocklist query parameters

scoreMinimum70Minimum confidence level (1–100). Default: 50.

limit5000Max IPs to return. Capped by tier.

onlyCountriesCN,RU,IROnly include IPs from these countries (ISO 3166-1).

exceptCountriesUS,GB,DEExclude IPs from these countries.

protocolsssh,httpOnly IPs with activity on these protocols.

minSeverityhighMinimum behavior severity (critical, high, medium, low).

ipVersion4IPv4 only (4), IPv6 only (6), or both (default).

onlyAsnAS12345Only include IPs from these ASNs.

exceptAsnAS67890Exclude IPs from these ASNs.

SSH attacks only, score 80+

SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=80&protocols=ssh

High severity, exclude US/EU

SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&minSeverity=high&exceptCountries=US,GB,DE,FR,NL

IPv4 only, top 5,000

SIKKERAPI|86400|5000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=70&ipVersion=4&limit=5000

Rate Limits

Blocklist requests and report submissions have separate daily quotas. Daily refreshes (86400s interval) stay well within limits for all tiers. If the report quota is exhausted, CSF still blocks the IP locally — only the report to SikkerAPI is skipped. Multiple servers should use separate API keys or upgrade your tier.

Daily quotas by tier

Free1,000 reports/day, 10,000 blocklist IPs. Create free key

Paid tiersHigher limits. See pricing for details.

Recommended refresh intervals

# CSF format: NAME|INTERVAL|MAX_IPS|URL 86400 # daily (1 request/day, fits all tiers) 43200 # twice daily 3600 # hourly (use higher tiers)

Verification

After setup, verify both the blocklist and reporting are working. Reported IPs appear in the IP Check response under the contributor section.

1Check blocklist in LFD logs

$ grep SIKKERAPI /var/log/lfd.log SIKKERAPI: loaded 8432 entries

2Verify a blocked IP in iptables

$ csf -g 203.0.113.42 Chain: BLOCKLIST, IP: 203.0.113.42, Match: SIKKERAPI

3Check report logs in syslog

$ grep sikkerapi /var/log/messages sikkerapi: Reported 198.51.100.17 (brute_force/ssh) via CSF trigger LF_SSHD

4Test the report script manually

$ /usr/local/bin/sikkerapi-csf-report \ "192.0.2.1" "" "" "LF_SSHD" "" $ grep sikkerapi /var/log/messages sikkerapi: Reported 192.0.2.1 (brute_force/ssh) via CSF trigger LF_SSHD

Troubleshooting

Common issues and how to resolve them. You can always test the report script manually to isolate whether the issue is with CSF configuration or API connectivity.

Common issues

Blocklist shows 0 entriesverify key starts with sk_ and is enabled

Reports not appearing in dashboardcheck /etc/csf/sikkerapi.key exists and has correct permissions

401 — Invalid API keyregenerate key in dashboard

429 — Rate limit exceededupgrade tier or use separate keys per server

CSF not reloading blocklistrestart both CSF and LFD: csf -r && lfd -r

Connection timeout on reportscheck outbound HTTPS to api.sikkerapi.com is allowed

Verbose API test — bypass the script

$ curl -v -X POST "https://api.sikkerapi.com/v1/key/report" \ -H "Authorization: Bearer $(cat /etc/csf/sikkerapi.key)" \ -H "Content-Type: application/json" \ -d '{"ip":"192.0.2.1","category":"brute_force","protocol":"ssh"}' # Expected: {"success":true}

Script Reference

The report script at /usr/local/bin/sikkerapi-csf-report reads your API key from /etc/csf/sikkerapi.key (or the SIKKERAPI_KEY environment variable), maps the CSF trigger to a category, and submits the report with a 10-second timeout. Logs all activity to syslog under the sikkerapi tag.

/usr/local/bin/sikkerapi-csf-report (excerpt)

#!/bin/bash # SikkerAPI CSF BLOCK_REPORT Script # CSF passes: $1=IP $2=ports $3=direction $4=trigger $5=logs API_URL="https://api.sikkerapi.com/v1/key/report" KEY_FILE="/etc/csf/sikkerapi.key" # Read key from file or SIKKERAPI_KEY env var API_KEY=$(head -1 "$KEY_FILE" | tr -d '[:space:]') # Map trigger to category (case statement) case "$TRIGGER" in LF_SSHD*) CATEGORY="brute_force"; PROTOCOL="ssh" ;; LF_FTPD) CATEGORY="brute_force"; PROTOCOL="ftp" ;; LF_MODSEC) CATEGORY="web_exploit"; PROTOCOL="http" ;; CT_LIMIT) CATEGORY="port_scan" ;; *) CATEGORY="other" ;; esac # Submit with 10s timeout, log result to syslog curl -sf --max-time 10 -X POST "$API_URL" \ -H "Authorization: Bearer $API_KEY" \ -H "Content-Type: application/json" \ -d "$PAYLOAD"

Get started — Set up two-way threat intelligence with CSF in under 10 minutes. The blocklist protects your server from scored threats, while attack reports contribute to IP Check confidence levels. Using Fail2Ban instead? See the Fail2Ban integration. Want zero-config protection? Try SikkerGuard. Create free API key →

CSF Firewall Integration

Integration

Two-way (pull + push)

Authentication

Bearer sk_...

Requirements

CSF/LFD, curl

Data

GETblocklist + POSTreports

← Back to Overview

Overview

Pull — blocklist feed

SikkerAPI blacklist→csf.blocklists→CSF imports IPs→iptables DROP

Push — attack reporting

CSF blocks an IP→BLOCK_REPORT fires→sikkerapi-csf-report→POST /v1/key/report→Threat database

Blocklist Setup

csf.blocklists format

NamestringIdentifier for this blocklist (e.g. SIKKERAPI).

IntervalintRefresh interval in seconds. 86400 = daily (recommended).

Max IPsintMaximum IPs to import. Capped by your tier.

URLstringSikkerAPI blacklist endpoint with your key and filters.

1Add blocklist entry

# Add to /etc/csf/csf.blocklists SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=70

2Restart CSF and LFD

$ csf -r $ lfd -r

3Verify blocklist loaded

$ grep SIKKERAPI /var/log/lfd.log SIKKERAPI: loaded 8432 entries

Attack Reporting

1Download the report script

$ sudo curl -o /usr/local/bin/sikkerapi-csf-report \ "https://sikkerapi.com/csf/sikkerapi-csf-report.sh" $ sudo chmod +x /usr/local/bin/sikkerapi-csf-report

2Save your API key

$ echo "sk_free_..." | sudo tee /etc/csf/sikkerapi.key $ sudo chmod 600 /etc/csf/sikkerapi.key

3Configure BLOCK_REPORT in csf.conf

# In /etc/csf/csf.conf BLOCK_REPORT = "/usr/local/bin/sikkerapi-csf-report"

4Restart CSF

$ csf -r

Script arguments (passed by CSF automatically)

$1stringIP address that was blocked.

$2stringPorts involved.

$3stringDirection (in/out/inout).

$4stringCSF trigger name (e.g. LF_SSHD). Used for category mapping.

$5stringLog entries (not sent to API).

Trigger Mappings

The report script automatically maps CSF trigger names to SikkerAPI categories and protocols. Unrecognized triggers default to other with no protocol.

CSF trigger → category → protocol

LF_SSHDbrute_forcessh

LF_SSHD_PERMbrute_forcessh

LF_FTPDbrute_forceftp

LF_SMTPAUTHbrute_forcesmtp

LF_POP3Dbrute_forcepop3

LF_IMAPDbrute_forceimap

LF_HTACCESSbrute_forcehttp

LF_MODSECweb_exploithttp

LF_DIRECTADMINbrute_forcehttp

LF_CPANELbrute_forcehttp

LF_DISTATTACKddos—

LF_DISTFTPbrute_forceftp

LF_DISTSMTPspamsmtp

CT_LIMITport_scan—

LF_EXIMSYNTAXspamsmtp

LF_MYSQLbrute_forcemysql

Advanced Filtering

Blocklist query parameters

scoreMinimum70Minimum confidence level (1–100). Default: 50.

limit5000Max IPs to return. Capped by tier.

onlyCountriesCN,RU,IROnly include IPs from these countries (ISO 3166-1).

exceptCountriesUS,GB,DEExclude IPs from these countries.

protocolsssh,httpOnly IPs with activity on these protocols.

minSeverityhighMinimum behavior severity (critical, high, medium, low).

ipVersion4IPv4 only (4), IPv6 only (6), or both (default).

onlyAsnAS12345Only include IPs from these ASNs.

exceptAsnAS67890Exclude IPs from these ASNs.

SSH attacks only, score 80+

SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=80&protocols=ssh

High severity, exclude US/EU

SIKKERAPI|86400|10000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&minSeverity=high&exceptCountries=US,GB,DE,FR,NL

IPv4 only, top 5,000

SIKKERAPI|86400|5000|https://api.sikkerapi.com/v1/key/blacklist?key=sk_free_...&plaintext=true&scoreMinimum=70&ipVersion=4&limit=5000

Rate Limits

Daily quotas by tier

Free1,000 reports/day, 10,000 blocklist IPs. Create free key

Paid tiersHigher limits. See pricing for details.

Recommended refresh intervals

# CSF format: NAME|INTERVAL|MAX_IPS|URL 86400 # daily (1 request/day, fits all tiers) 43200 # twice daily 3600 # hourly (use higher tiers)

Verification

After setup, verify both the blocklist and reporting are working. Reported IPs appear in the IP Check response under the contributor section.

1Check blocklist in LFD logs

$ grep SIKKERAPI /var/log/lfd.log SIKKERAPI: loaded 8432 entries

2Verify a blocked IP in iptables

$ csf -g 203.0.113.42 Chain: BLOCKLIST, IP: 203.0.113.42, Match: SIKKERAPI

3Check report logs in syslog

$ grep sikkerapi /var/log/messages sikkerapi: Reported 198.51.100.17 (brute_force/ssh) via CSF trigger LF_SSHD

4Test the report script manually

$ /usr/local/bin/sikkerapi-csf-report \ "192.0.2.1" "" "" "LF_SSHD" "" $ grep sikkerapi /var/log/messages sikkerapi: Reported 192.0.2.1 (brute_force/ssh) via CSF trigger LF_SSHD

Troubleshooting

Common issues and how to resolve them. You can always test the report script manually to isolate whether the issue is with CSF configuration or API connectivity.

Common issues

Blocklist shows 0 entriesverify key starts with sk_ and is enabled

Reports not appearing in dashboardcheck /etc/csf/sikkerapi.key exists and has correct permissions

401 — Invalid API keyregenerate key in dashboard

429 — Rate limit exceededupgrade tier or use separate keys per server

CSF not reloading blocklistrestart both CSF and LFD: csf -r && lfd -r

Connection timeout on reportscheck outbound HTTPS to api.sikkerapi.com is allowed

Verbose API test — bypass the script

Script Reference

/usr/local/bin/sikkerapi-csf-report (excerpt)