Loading
Integrate Fail2Ban with SikkerAPI to automatically report suspicious IPs when they're banned on your server. Reports contribute to our distributed threat intelligence database and help protect the community.
Unlike other services, SikkerAPI only sends structured data (IP, category, protocol). No log snippets or sensitive information is ever transmitted.
Fail2Ban detects intrusion
|
v
Bans IP via firewall
|
v
Calls sikkerapi-report script
|
v
Reports to SikkerAPI
|
v
Contributes to threat databaseInstall the SikkerAPI action file and report script with these commands:
Download the action configuration and report script to your server.
Ensure the report script has execute permissions.
Test that the script can connect to the API.
$ sudo curl -o /etc/fail2ban/action.d/sikkerapi.conf \ "https://sikkerapi.com/fail2ban/sikkerapi.conf"
$ sudo curl -o /usr/local/bin/sikkerapi-report \ "https://sikkerapi.com/fail2ban/sikkerapi-report.sh"
$ sudo chmod +x /usr/local/bin/sikkerapi-report$ sikkerapi-report 127.0.0.1 "sk_free_..." brute_force ssh test # Should output: Reported 127.0.0.1 (brute_force) to SikkerAPI
Add the SikkerAPI action to your jails in /etc/fail2ban/jail.local. Each jail can have its own category and protocol.
| Parameter | Required | Description |
|---|---|---|
| key | Yes | Your SikkerAPI key (sk_...) |
| category | Yes | Attack category (see table below) |
| protocol | No | Protocol: ssh, http, ftp, smtp, etc. |
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = %(action_)s
sikkerapi[key="sk_free_...", category="brute_force", protocol="ssh"][apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s
action = %(action_)s
sikkerapi[key="sk_free_...", category="brute_force", protocol="http"]Choose the category that best describes the attack your jail detects. Use human-readable names (not numeric codes).
| Category | Use for |
|---|---|
| brute_force | SSH, FTP, auth brute force attempts |
| port_scan | Port scanning / reconnaissance |
| ddos | DDoS / flood attacks |
| web_exploit | Web application exploitation |
| sql_injection | SQL injection attempts |
| bad_bot | Suspicious bots / scrapers |
| spam | Email spam / abuse |
| phishing | Phishing attempts |
| malware | Malware distribution |
| other | Other suspicious activity |
See Report API docs for the complete list of 16 categories.
# Jail Category Protocol sshd brute_force ssh apache-auth brute_force http nginx-http-auth brute_force http apache-badbots bad_bot http nginx-botsearch bad_bot http postfix spam smtp postfix-sasl brute_force smtp dovecot brute_force imap vsftpd brute_force ftp proftpd brute_force ftp mysqld-auth brute_force mysql recidive other -
Report submissions are rate-limited per API key. If you have multiple servers, consider using separate API keys or upgrading your tier.
| Tier | Reports/Day |
|---|---|
| Free | 1,000 |
| Basic | 7,000 |
| Small Business | 14,000 |
| Medium Business | 30,000 |
| Large Business | 100,000 |
Rate limit errors don't fail the ban action-the IP is still blocked on your server, just not reported. Check your dashboard for usage stats.
# If you have multiple servers reporting # with the same API key, you may want to # use the contributor tier (10,000/day) # or create separate keys per server. # Check your usage: curl -H "Authorization: Bearer sk_..." \ "https://api.sikkerapi.com/v1/key/usage"
After configuration, reload Fail2Ban and verify reports are being submitted.
Look for "Reported ... to SikkerAPI" messages in the fail2ban log.
Your reported IPs appear in the dashboard under recent activity.
Use the API to verify the report was received.
$ sudo fail2ban-client reload$ sudo tail -f /var/log/fail2ban.log | grep sikker$ curl -H "Authorization: Bearer sk_..." \ "https://api.sikkerapi.com/v1/key/check/203.0.113.42" \ | jq .contributor
$ /usr/local/bin/sikkerapi-report \ "192.0.2.1" \ "sk_free_..." \ "brute_force" \ "ssh" \ "manual test"
$ ls -la /usr/local/bin/sikkerapi-report -rwxr-xr-x 1 root root 2048 Jan 31 12:00 sikkerapi-report
$ curl -v -X POST "https://api.sikkerapi.com/v1/key/report" \ -H "Authorization: Bearer sk_..." \ -H "Content-Type: application/json" \ -d '{"ip":"192.0.2.1","category":"brute_force"}'