sikkerapi@prod ~$
Why SikkerAPI|
Sikker-CLISikkerGuard
Honeypot DatabaseEmail LookupUsername LookupDetection CatalogSubnet CalculatorEncoder / Decoder
Prices
|
Fail2BanCSF FirewallNginxiptables / ipset
|
Blog
OverviewIP CheckBlacklistReportBulk ReportTAXII FeedSikker-CLIConfidence Score Algorithm
Top CountriesTop ASNsTop ProtocolsTop IPsSMTP Database
CIDR Range AlertsIP AlertsUsername AlertsEmail AlertsBlacklist Web-UIInstall SikkerGuard
|login|signup
Loading
SikkerAPI

Open source threat intelligence from a global honeypot sensor network. Real attacker behavior, not purchased feeds.

Product
PricingDocumentationReport an IPThreat MapSystem Status
Resources
BlogFAQAboutContactComparisons
Tools
Sikker-CLISikkerGuardDetection CatalogSession DatabaseTAXII Feed
Browse
Top CountriesTop ASNsTop ProtocolsTop IPsSMTP Wall of Fame
© 2026 SikkerAPI
TermsPrivacyRemove Me
SikkerAPI AbuseIPDB blocklist.de Custom

Threat intelligence, applied to your firewall automatically.

SikkerGuard is powered by SikkerAPI — threat intelligence from honeypot sensors and contributor reports. Optionally connect your own AbuseIPDB key, enable blocklist.de feeds, or add a custom blacklist. Everything is merged, deduplicated, and applied to your iptables firewall automatically.

Install SikkerGuard →Explore sources
SikkerGuard
DashboardSourcesSettings
v1.1.0
Active·48,219 IPs in firewall·12,847 unique hits·87,402 pkts blocked·top ssh
By Protocol9 protocols
ssh
4,82063%
http
1,24716%
https
6839%
smtp
4125%
mysql
2894%
By Source4 sources
SikkerAPI
39,412
AbuseIPDB
8,731
blocklist.de
2,104
Custom
18
Overlap
-2,046
Firewall Log
live
TimeIP AddressActionProtoPktsSource
14:23:07185.220.101.34BLOCKEDssh12SikkerAPI
14:23:0380.94.92.168BLOCKEDssh5AbuseIPDB
14:22:5045.148.10.240BLOCKEDhttp3blocklist.de
14:22:38193.42.33.105BLOCKEDsmtp1SikkerAPI
14:22:2692.63.197.22BLOCKEDssh28SikkerAPI
01

Where the intelligence comes from

SikkerGuard is powered by SikkerAPI — our own threat intelligence platform built on honeypot sensors and contributor reports. You can extend coverage further by connecting third-party integrations with your own accounts. Here's what each source provides.

SikkerAPIBuilt-in

SikkerAPI is the threat intelligence platform behind SikkerGuard. It combines data from two sources: a global network of honeypot sensors simulating 17 vulnerable protocols (SSH, HTTP, MySQL, PostgreSQL, FTP, SMTP, Redis, MongoDB, Docker, SMB, Telnet, and more), and contributor reports from the SikkerAPI community — including other SikkerGuard users who opt in to the feedback loop.

Every IP that interacts with a honeypot is definitively suspicious — there are no legitimate users on a honeypot. Combined with real-world contributor reports, this produces high-confidence threat data. Each IP receives a confidence score (1–100) based on attack frequency, protocol diversity, and behavioral patterns. SikkerGuard pulls IPs above your configured score threshold.

  • ✓ 17 protocol honeypot sensors worldwide
  • ✓ Contributor reports from the SikkerAPI community
  • ✓ Confidence score per IP (1–100, configurable threshold)
  • ✓ Behavioral analysis — command execution, credential patterns
AbuseIPDBIntegration

AbuseIPDB is a community-driven database where server administrators report abusive IPs. Add your own AbuseIPDB API key in the SikkerGuard dashboard, set a confidence threshold (default 90%), and SikkerGuard pulls the highest-reported offenders into your blocklist automatically.

  • ✓ Bring your own AbuseIPDB API key (free tier available)
  • ✓ Configurable min confidence (25–100%)
  • ✓ Community-sourced from thousands of server admins
  • ✓ Enable/disable from the Sources page
blocklist.deIntegration

blocklist.de collects attack reports from thousands of servers and publishes categorized feeds. Enable this integration from the Sources page and choose the feeds relevant to your server: SSH brute force, mail abuse, web attacks, FTP, SIP/VoIP, persistent attackers, and more.

  • ✓ Opt-in — enable from the Sources page
  • ✓ 10 protocol-specific feed categories
  • ✓ No API key required
  • ✓ 48-hour rolling window
02

The closed feedback loop

SikkerGuard doesn't just consume threat intelligence — it contributes back. When your firewall blocks a connection, SikkerGuard reports the IP, protocol, and packet count to SikkerAPI. This data updates confidence scores and timing for all users. The more servers running SikkerGuard, the better the intelligence gets.

Intelligence
SikkerAPI Network

Honeypot sensors capture attacker behavior. IPs scored by confidence. Shared via API.

→pullreport←
Your server
SikkerGuard Firewall

Blocks threats at iptables. Reports blocked IPs back. Strengthens the network.

Contributor reporting is optional. Disable it from settings if you prefer not to share data.

03

Production-safe by design

Applying external blocklists to a production firewall is risky if done wrong. SikkerGuard was built with multiple safety layers to ensure it never breaks your server.

  • ✓Auto-whitelist — SSH session, gateway, DNS servers, RFC1918 ranges permanently protected.
  • ✓Connectivity test — verifies outbound internet after every firewall update. Automatic rollback on failure.
  • ✓Atomic swap — staging ipset swapped in one operation. Zero downtime window.
  • ✓Sanity check — rejects updates changing >50% of rules. Circuit breaker prevents catastrophic changes.
  • ✓Dry run mode — test your configuration without touching the firewall.
  • ✓Clean shutdown — all SikkerGuard rules removed when stopped.
04

Deploy in 60 seconds

One docker-compose file. One API key. Your server starts blocking known threats immediately. Configure sources, integrations, and thresholds from the web dashboard at port 7064.

docker-compose.yml
services: sikkerguard: image: sikkerapi/guard:latest network_mode: host cap_add: - NET_ADMIN - SYSLOG devices: - /dev/kmsg:/dev/kmsg volumes: - ./data:/var/lib/sikkerguard - /var/run/docker.sock:/var/run/docker.sock restart: unless-stopped

Need a SikkerAPI key? Free plan includes 1,000 daily lookups. No credit card required.

Full install guide →
05

Frequently asked questions

What intelligence sources does SikkerGuard use?

SikkerGuard is powered by SikkerAPI — threat intelligence from honeypot sensors and contributor reports. You can optionally extend coverage by connecting your own AbuseIPDB API key, enabling blocklist.de feeds, or adding a custom IP/CIDR blacklist. All sources are merged and deduplicated before applying to iptables.

What makes honeypot data different from community reports?

Honeypot sensors run fake services with no legitimate users. Every IP that connects is definitively suspicious. Community reports (like AbuseIPDB) rely on manual reporting and can include false positives. SikkerAPI combines honeypot sensor data with contributor reports for its core intelligence. You can layer on AbuseIPDB as a supplementary feed with configurable confidence thresholds.

Can I integrate AbuseIPDB with my firewall automatically?

Yes. Add your own AbuseIPDB API key in the SikkerGuard dashboard, set a minimum confidence score, and IPs are pulled and merged into your iptables blocklist automatically. No bash scripts, no cron jobs. blocklist.de works the same way but doesn't require an API key — just enable the feeds you want from the Sources page.

How does the closed feedback loop work?

When SikkerGuard blocks a connection, it optionally reports the IP, protocol, and packet count back to SikkerAPI. This updates threat confidence scores and timing, improving the intelligence for all users. You can disable contributor reporting from settings.

Is SikkerGuard compatible with Fail2Ban and CrowdSec?

Yes. SikkerGuard uses its own ipset chains and doesn't conflict with other firewall tools. It complements Fail2Ban (proactive pre-blocking vs reactive log parsing) and can run alongside CrowdSec, UFW, firewalld, or CSF.

Start blocking known threats today. Deploy SikkerGuard and let real threat intelligence protect your server.

Install now →