Loading
SikkerGuard is a Docker container that pulls known malicious IPs from the SikkerAPI blacklist and blocks them at the kernel level using iptables and ipset. It runs alongside your existing services, requires zero configuration beyond an API key, and cleans up after itself on shutdown.
Think of it as a managed firewall blocklist that updates itself. If you currently maintain blocklists with Fail2Ban, CSF, or manual iptables rules, SikkerGuard replaces the manual work with automated threat intelligence.
SikkerGuard v1.0.0
Firewall protection powered by SikkerAPI threat intelligence
18:05:21 INFO Score threshold: 50 | Pull every 24h | Reports every 30m
18:05:21 INFO Safety whitelist: 8 IPs + 8 CIDR ranges
18:05:21 INFO Firewall ready
18:05:21 INFO Blocking 8774 IPs
18:05:21 INFO Monitoring blocked connections
18:05:21 INFO SikkerGuard running
18:05:31 INFO BLOCKED 185.16.39.79:23 (telnet) proto=TCP x47
18:05:31 INFO BLOCKED 18.218.118.203:1433 (mssql) proto=TCP x14
18:05:41 INFO BLOCKED 94.26.88.32:22 (ssh) proto=TCP x6You need a free SikkerAPI key and a Linux server with Docker. Setup takes under 60 seconds.
Create a free account and generate an API key from the dashboard. Free keys include full blacklist access with up to 5,000 IPs per pull. See pricing for higher limits.
Store your API key in a .env file. Add it to your .gitignore to keep credentials out of version control.
SikkerGuard needs NET_ADMIN to manage firewall rules and SYSLOG to read the kernel log for real-time block monitoring. network_mode: host gives it access to the host's network stack.
That's it. SikkerGuard will pull the blacklist, apply firewall rules, and start logging blocked connections. Monitor progress with docker compose logs -f.
SIKKER_API_KEY=sk_free_your_key_here
services:
sikkerguard:
image: sikkerapi/guard:latest
network_mode: host
cap_add:
- NET_ADMIN
- SYSLOG
devices:
- /dev/kmsg:/dev/kmsg
env_file:
- .env
volumes:
- sikkerguard-data:/var/lib/sikkerguard
restart: unless-stopped
volumes:
sikkerguard-data:$ docker compose up -d && docker compose logs -fAll configuration is via environment variables. Add them to your .env file or directly in your docker-compose.yml. The only required setting is your API key.
| Variable | Default | Description |
|---|---|---|
| SIKKER_API_KEY | (required) | Your SikkerAPI key |
| SIKKER_SCORE_MIN | 50 | Minimum confidence score to block (1–100) |
| SIKKER_PULL_INTERVAL | 1440 | Minutes between blacklist refreshes (60–1440) |
| SIKKER_REPORT_ENABLED | true | Report blocked IPs back to SikkerAPI via bulk report |
| SIKKER_REPORT_INTERVAL | 30 | Minutes between report batches (1–1440) |
| SIKKER_WHITELIST | (empty) | Comma-separated IPs or CIDRs to never block |
| SIKKER_PORT_MAP | (see below) | Custom port-to-protocol mappings |
| SIKKER_DRY_RUN | false | Log what would be blocked without touching the firewall |
| SIKKER_HEALTH_PORT | 8080 | Health check endpoint port (localhost only) |
SikkerGuard maps destination ports to protocol names for logging and reporting. Defaults cover all common services (SSH, HTTP, MySQL, PostgreSQL, Redis, SMTP, and more). Add custom mappings with SIKKER_PORT_MAP — your entries are merged with the defaults.
ssh=22,2222,22222 telnet=23,2323 ftp=21,2121 http=80,8080 https=443,8443 smtp=25,587,465 imap=143,993 mysql=3306,33060 postgres=5432,5433 mssql=1433,14330 redis=6379,6380 mongodb=27017,27018 smb=445,139 docker=2375,2376 elasticsearch=9200,9201 rtsp=554,8554 sip=5060
# Your entries merge with defaults
SIKKER_PORT_MAP=ssh=2222,22222;minecraft=25565;custom_app=9999# Only block high-confidence threats SIKKER_SCORE_MIN=80 # Refresh blacklist every hour SIKKER_PULL_INTERVAL=60 # Never block your office IP SIKKER_WHITELIST=203.0.113.10,198.51.100.0/24
SikkerGuard is designed to be safe to run on production servers. Every rule update goes through multiple safety checks before touching your firewall.
On startup, SikkerGuard detects your gateway, DNS servers, host IPs, and LAN subnets. These are permanently whitelisted and can never be blocked, even if they appear on the blacklist. The SikkerAPI endpoint is also whitelisted to ensure the container can always pull updates.
Empty blacklists are rejected (indicates an API error, not “no threats”). Sudden list growth beyond 2x the previous size is also rejected. RFC1918 addresses are stripped from the blacklist automatically.
After every rule update, SikkerGuard verifies it can still reach the gateway, resolve DNS, and contact the API. If any test fails, the firewall rules are rolled back immediately.
Blacklist changes use ipset's atomic swap operation. There is no window where rules are partially applied. The old blocklist stays active until the new one is fully loaded and validated.
On docker compose down or SIGTERM, all iptables rules and ipset sets are removed. Your firewall goes back to exactly how it was before SikkerGuard started.
# In your .env file
SIKKER_DRY_RUN=trueDefault gateway (ip route) DNS servers (/etc/resolv.conf) Host IP addresses (ip addr) LAN subnets (10.0.0.0/8, etc.) Loopback (127.0.0.0/8, ::1) SikkerAPI endpoint (api.sikkerapi.com) User whitelist (SIKKER_WHITELIST)
18:05:21 INFO Safety whitelist: 8 IPs + 8 CIDR ranges
(gateway, DNS, LAN, API protected)SikkerGuard exposes a health endpoint for monitoring and container orchestration. The server binds to 127.0.0.1 by default, so it is only accessible from the host itself.
| Endpoint | Description |
|---|---|
| /healthz | Returns 200 if running and rules applied, 503 otherwise |
| /status | JSON with current state, blocked IP count, and timing info |
The health check integrates with Docker's built-in HEALTHCHECK directive. Container orchestrators like Docker Compose, Kubernetes, and Portainer will automatically detect when SikkerGuard is healthy.
Blocked connection data is also reported back to your SikkerAPI dashboard, where you can see which IPs were blocked, how often, and on which protocols.
$ curl localhost:8080/healthz
OK$ curl localhost:8080/status
{
"status": "active",
"blockedIps": 8774,
"lastPull": "2026-02-24T10:30:00Z",
"lastReport": "2026-02-24T10:15:00Z",
"dryRun": false,
"uptime": "2h 15m"
}SikkerGuard is ideal when you want automatic, maintenance-free IP blocking powered by real-time threat intelligence. It complements existing tools:
Free to use — SikkerGuard works with the free SikkerAPI plan. No credit card required. Get your API key →
$ docker exec sikkerguard iptables -L INPUT -n Chain INPUT (policy ACCEPT) DROP all -- 0.0.0.0/0 0.0.0.0/0 match-set sikkerguard-blocklist src
$ docker exec sikkerguard ipset list sikkerguard-blocklist \
| head -5
Name: sikkerguard-blocklist
Type: hash:ip
Header: family inet hashsize 16384 maxelem 500000
Size in memory: 459712
References: 2$ docker compose down # All iptables rules and ipset sets are removed. # Your firewall is back to stock.