sikkerapi@prod ~$
Why SikkerAPI|
Sikker-CLISikkerGuard
Honeypot DatabaseEmail LookupUsername LookupDetection CatalogSubnet CalculatorEncoder / Decoder
Prices
|
Fail2BanCSF FirewallNginxiptables / ipset
|
Blog
OverviewIP CheckBlacklistReportBulk ReportTAXII FeedSikker-CLIConfidence Score Algorithm
Top CountriesTop ASNsTop ProtocolsTop IPsSMTP Database
CIDR Range AlertsIP AlertsUsername AlertsEmail AlertsBlacklist Web-UIInstall SikkerGuard
|login|signup
Loading
SikkerAPI

Open source threat intelligence from a global honeypot sensor network. Real attacker behavior, not purchased feeds.

Product
PricingDocumentationReport an IPThreat MapSystem Status
Resources
BlogFAQAboutContactComparisons
Tools
Sikker-CLISikkerGuardDetection CatalogSession DatabaseTAXII Feed
Browse
Top CountriesTop ASNsTop ProtocolsTop IPsSMTP Wall of Fame
© 2026 SikkerAPI
TermsPrivacyRemove Me
Home  /  Docs  /  SikkerGuard  /  Install

Install SikkerGuard

5 minute setup·Free tier available·What is SikkerGuard?

Prerequisites

  • ✓ Linux server (Ubuntu, Debian, RHEL, etc.)
  • ✓ Docker & Docker Compose installed
  • ✓ Root or sudo access (needed for NET_ADMIN)
  • ✓ SikkerAPI account — sign up free
Step 1

Get your API key

Sign up and copy your API key from the dashboard. Keys start with sk_. The free plan includes blocklist access.

Terminal
$ mkdir sikkerguard && cd sikkerguard
Step 2

Create docker-compose.yml

SikkerGuard runs as a single Docker container. It needs network_mode: host to manage your server's iptables directly, and NET_ADMIN + SYSLOG capabilities to create firewall rules and read kernel logs. The Docker socket mount enables one-click updates from the dashboard.

docker-compose.yml
services:
  sikkerguard:
    image: sikkerapi/guard:latest
    network_mode: host
    cap_add:
      - NET_ADMIN
      - SYSLOG
    devices:
      - /dev/kmsg:/dev/kmsg
    volumes:
      - ./data:/var/lib/sikkerguard
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped

That's the only file you need. Your API key and all configuration are entered through the web dashboard — no config files to manage.

Step 3

Start the container

Pull the image and start SikkerGuard in the background. The dashboard will be available at http://your-server:7064.

Terminal
$ sudo docker compose up -d
[+] Running 1/1
 ✔ Container sikkerguard  Started                              0.8s

$ sudo docker compose logs -f sikkerguard
sikkerguard  | SikkerGuard v1.0.0
sikkerguard  | Dashboard: http://0.0.0.0:7064
sikkerguard  | Setup required — open dashboard to configure
Step 4

Complete setup in the dashboard

Open http://your-server:7064 in your browser. The setup page asks for a dashboard admin account and your SikkerAPI key. The key is validated against SikkerAPI in real time.

your-server:7064/setup
SikkerGuard
Setup Requiredv1.1.0
⚠SikkerGuard is not yet configured. Create your dashboard account and provide your SikkerAPI key to start protecting your server.
Initial Setup
This only needs to be done once.
Dashboard Account
Username *
admin
Password *
••••••••••••
Confirm *
••••••••••••
SikkerAPI Connection
API Key *
sk_free_a1b2c3d4e5f6...
Get a free key at sikkerapi.com
You can change these settings later from the dashboard.
Complete Setup
Step 5

Enable the guard

After setup, you'll land on the dashboard. Click the toggle to enable SikkerGuard. It will immediately pull the threat blocklist from SikkerAPI and apply it to your iptables firewall. Blocked connections appear in the live firewall log.

SikkerGuard
DashboardSourcesSettings
v1.1.0
Active·48,219 IPs in firewall·42,891 unique·1,847 pkts blocked·top ssh·pull just now
View✓ By Protocol✓ By SourceBlocks (24h)
By Protocol4 protocols
SSH
28,40159%
HTTP
12,05025%
SMTP
4,89010%
FTP
2,8786%
By Source42,891 unique
SikkerAPI
38,219
AbuseIPDB
8,421
blocklist
4,120
Overlap
-2,331
Firewall Log
live 8s
TimeIP AddressActionProtoPktsSource
14:23:07185.220.101.34BLOCKEDssh5
SikkerAPI
14:23:0380.94.92.168BLOCKEDssh3
AbuseIPDB
14:22:5045.148.10.240BLOCKEDhttp1
SikkerAPI
14:22:4893.174.95.106BLOCKEDssh12
blocklist
Configure

Threat sources

The Sources page lets you manage where SikkerGuard gets its threat data. SikkerAPI is built-in. You can optionally add your own AbuseIPDB API key, enable blocklist.de feeds, or maintain a custom blacklist.

Adding AbuseIPDB

Bring your own AbuseIPDB API key. Set a minimum confidence threshold and limit. Click Save & Fetch to pull IPs immediately.

SikkerGuard
DashboardSourcesSettings
v1.1.0
SK
SikkerAPI38,219 IPs
AB
AbuseIPDB8,421 IPs
BL
blocklist.deNot enabled
+
Custom0 entries
AB
AbuseIPDB
Community-driven IP abuse database
Active
8,421
Blocked IPs
2m ago
Last Fetch
API Key
your_abuseipdb_api_key_here
Free tier available at abuseipdb.com
Min Confidence
90
25–100. Higher = fewer, more confident IPs.
Limit
10000
100–500,000 IPs per pull.
DisableSave & Fetch

Enabling blocklist.de

Select which attack feeds to subscribe to. No API key needed. Each feed covers the last 48 hours of reports from thousands of servers.

SikkerGuard
DashboardSourcesSettings
v1.1.0
SK
SikkerAPI38,219 IPs
AB
AbuseIPDB8,421 IPs
BL
blocklist.deNot enabled
+
Custom0 entries
BL
blocklist.de
Protocol-specific attack feeds (last 48h)
Feeds
Select feeds relevant to your server.
SSH Brute Forcessh
Apache / HTTP Attacksapache
Mail Abusemail
FTP Attacksftp
SIP / VoIPsip
Strong IPs (persistent)strongips
Save & Fetch

Custom blacklist

Add individual IPs, paste a list, or upload a file. Entries are merged with all other sources and deduplicated.

SikkerGuard
DashboardSourcesSettings
v1.1.0
SK
SikkerAPI38,219 IPs
AB
AbuseIPDB8,421 IPs
BL
blocklist.de4,120 IPs
+
Custom3 entries
+
Custom Blacklist
Manually managed IPs and CIDR ranges
3
Total Entries
Add IndividualPaste ListUpload File
IP address or CIDR range (e.g. 45.148.10.0/24)
Add
45.148.10.12×
198.51.100.0/24×
203.0.113.50×
Configure

Settings

The Settings page lets you tune SikkerGuard's behavior. All settings have sensible defaults — you only need to change what matters for your setup.

Threat scoring

Control how aggressive the blocking is. A higher score means fewer blocks but higher confidence. Default is 50.

SikkerGuard
DashboardSourcesSettings
v1.1.0
Account
API Key
Threat Scoring
Scheduling
Whitelist
Port Monitoring
Danger Zone
Threat Scoring
Control the threshold for automatic IP blocking.
Minimum Score to Block
50
IPs at or above this score are blocked. Lower = more aggressive.
Save

Scheduling

Control how often SikkerGuard refreshes the blocklist and how often it reports blocked connections back to SikkerAPI. Contributor reporting is optional.

SikkerGuard
DashboardSourcesSettings
v1.1.0
Account
API Key
Threat Scoring
Scheduling
Whitelist
Port Monitoring
Danger Zone
Scheduling
Threat data pull and report intervals.
Pull Interval
24h ▾
0m ▾
How often SikkerGuard pulls fresh threat data. Minimum 1 hour.
Report Interval
0h ▾
30m ▾
How often firewall reports are sent to SikkerAPI. Minimum 1 minute.
Threat Reporting
Send blocked-IP reports back to SikkerAPI
Save

Whitelist

Add IPs or CIDR ranges that should never be blocked. SikkerGuard also auto-detects and protects your SSH session, gateway, DNS servers, and all RFC1918 private ranges.

SikkerGuard
DashboardSourcesSettings
v1.1.0
Account
API Key
Threat Scoring
Scheduling
Whitelist
Port Monitoring
Danger Zone
IP Whitelist
Your custom IPs that are never blocked.
203.0.113.10 ×198.51.100.0/24 ×
Add IP or CIDR...
Add
Save
Effective Whitelist
All IPs and ranges SikkerGuard is currently protecting — includes auto-detected gateway, DNS, host IPs, and reserved ranges.
Protected Ranges
10.0.0.0/8172.16.0.0/12192.168.0.0/16127.0.0.0/8
Protected IPs
192.168.1.18.8.8.81.1.1.1
Verify

Confirm it's working

Check that SikkerGuard is running and has loaded the blocklist.

Terminal
# Check container status
$ sudo docker compose ps
NAME           STATUS         PORTS
sikkerguard    Up 2 minutes   

# Verify ipset is loaded
$ sudo ipset list sikkerguard -t
Name: sikkerguard
Type: hash:ip
Number of entries: 48219

# Check iptables rule
$ sudo iptables -L INPUT -n | grep sikkerguard
DROP  all  --  0.0.0.0/0  0.0.0.0/0  match-set sikkerguard src

# Health check
$ curl -s http://localhost:8080/healthz
OK
FAQ

Frequently asked questions

What capabilities does SikkerGuard need and why?

NET_ADMIN allows SikkerGuard to create and manage iptables rules and ipset entries. SYSLOG allows reading kernel firewall logs from /dev/kmsg to track blocked connections in real time. network_mode: host is required so the container operates on the host's network stack.

Can I run SikkerGuard alongside Fail2Ban or UFW?

Yes. SikkerGuard uses its own ipset chain and doesn't touch other firewall rules. It complements Fail2Ban (proactive pre-blocking vs reactive log parsing) and works alongside UFW, firewalld, CSF, or CrowdSec.

What if SikkerGuard blocks a legitimate IP?

SikkerGuard auto-whitelists your current SSH session IP, your gateway, DNS servers, and all RFC1918 private ranges. A connectivity test runs after every firewall update — if outbound internet breaks, the change is rolled back automatically. You can add additional IPs to the whitelist from settings.

How do I add AbuseIPDB or blocklist.de?

Go to the Sources page in the dashboard. For AbuseIPDB, enter your own API key and set a confidence threshold. For blocklist.de, select which feed categories to enable (no key needed). Both are opt-in integrations you configure yourself.

What happens when the container stops?

SikkerGuard removes all its iptables rules and ipset entries on shutdown. Your firewall returns to its pre-SikkerGuard state. When it restarts, rules are re-applied from the last pulled blocklist. Data persists in the ./data directory next to your compose file.

How do I update SikkerGuard?

Pull the latest image and recreate: docker compose pull && docker compose up -d. Your configuration, accounts, and data persist in the volume.

Need help? Check the full documentation, view plans, or reach out on GitHub.

SikkerGuard docs →