SSHwatch Insights Blog

Introducing the SSHwatch Threat Intelligence API Platform

Today, we’re excited to announce the launch of SSHwatch’s Threat Intelligence API Platform. This new offering provides developers and security professionals with programmatic access to our extensive database of SSH threat intelligence, enabling seamless integration with security tools, firewalls, and monitoring systems.

Harnessing Collective Security Intelligence

At SSHwatch, we’ve been collecting and analyzing SSH attack patterns from thousands of servers worldwide. Our threat intelligence platform aggregates anonymized data from participating users to create a comprehensive picture of the threat landscape. Now, we’re making this valuable data accessible through two powerful API endpoints designed to enhance your security posture.

Two Powerful API Endpoints

IP Threat Rating Lookup API

Our IP Threat Rating Lookup API allows you to query detailed information about specific IP addresses in our threat database. By making a simple request to /ip/{ip_address}, you’ll receive:

  • A threat score indicating the level of malicious activity
  • The number of submissions across our user base
  • The last time this IP was observed attempting malicious activity
  • All conveniently formatted in JSON for easy parsing

This endpoint is perfect for integrating with your existing security workflows. Whether you’re validating suspicious connections, enhancing your SIEM rules, or building custom security dashboards, this API provides real-time threat validation at your fingertips.

Example request:

https://api.sshwatch.com/ip/192.0.2.1

Example response:

{
  "status": "success",
  "found": true,
  "data": {
    "ip_address": "192.0.2.1",
    "avg_score": 22.5,
    "submission_count": 42,
    "last_updated": "2025-03-15 14:30:45"
  }
}

IP Threat Feed API

Our Threat Feed API provides access to our complete list of known malicious IPs in a simple, firewall-friendly format. With a single request to /feed, you’ll receive a plaintext list of all threat IPs in our database, perfect for:

  • Bulk importing into firewalls and security appliances
  • Enhancing network security policies
  • Building custom blocklists

The feed includes helpful comments detailing the last update time and purpose of the list, while maintaining compatibility with virtually all security tools. This enables you to leverage SSHwatch’s collective threat intelligence to strengthen your perimeter defenses with minimal integration effort.

Example request:

https://api.sshwatch.com/feed

Example response:

# SSHwatch.com Threat IP Feed
# This list contains known malicious IP addresses detected by SSHwatch
# Last Updated: 2025-03-18 14:30:45
# For more information visit: https://sshwatch.com
#
192.0.2.1
198.51.100.2
203.0.113.3
...

Getting Started

Both API endpoints are available now to all SSHwatch users. We’ve implemented reasonable rate limits to ensure service availability while providing sufficient capacity for your security needs:

  • IP Threat Rating Lookup: 60 requests per minute
  • IP Threat Feed: 10 requests per minute

The feed data is automatically maintained, with IPs older than 30 days being removed to ensure you’re always working with current threat intelligence.

Use Cases

Our new APIs open up numerous possibilities for enhancing your security posture:

1. Real-time Connection Validation: Query the IP lookup API when receiving SSH connection attempts to make informed allow/deny decisions.

2. Firewall Rule Enhancement: Integrate the threat feed into your firewall to automatically block known malicious IPs.

3. Security Automation: Build workflows that check suspicious IPs against our database and trigger appropriate responses.

4. Threat Hunting: Aggregate data from your logs and our threat intelligence to identify patterns and potential breaches.

Join Our Security Community

Security is stronger when we work together. By using SSHwatch’s Threat Intelligence APIs, you’re not just protecting your own systems – you’re joining a community of security-conscious professionals who understand the power of shared intelligence.

We invite you to explore these new APIs and incorporate them into your security practices today. Documentation is available in your SSHwatch dashboard, and our support team is ready to assist with any questions you might have about implementation.

Ready to get started? Log in to your SSHwatch account now and check out the API documentation under the “Developers” section. If you’re not yet a member, there’s never been a better time to join and strengthen your SSH security posture.

Stay secure!

The SSHwatch Team

Secure Your Infrastructure Today!

Sign up now to gain comprehensive insights into your SSH access logs. Start monitoring, alerting, and analyzing your entire infrastructure effortlessly.
Get started for free

Book a demo

Fill in the form below to book a demo without obligation.
Request a demo