The name and URL used in notifications, QR codes, and the mobile app setup screen.

Register remote GuardDex nodes. The mothership pings their /health endpoints every 5 minutes and sends an alert if a node goes offline. Format: name|http://ip:8088, one per line or comma-separated.

Free self-hosted or public ntfy.sh server. Family members subscribe to their topic in the ntfy Android/iOS app.

For Gmail: use smtp.gmail.com, port 587, TLS on, and an App Password (not your Google password).

SMS is managed centrally — no Twilio account needed on this node. Critical alerts are routed through the GuardDex notification relay at relay.richeyda.com.

These are your personal limits. The system defaults are set via NOTIF_DAILY_CAP_* in .env and apply to new users. Changes here take effect immediately — no restart needed.

Used as primary AI on battleship deployments (no local GPU) and as fallback when Ollama is unavailable. Get a key at console.anthropic.com.

Run AI locally via Ollama on port 11434. Enable only if Ollama is installed and models are pulled.
Primary model: nous-hermes2:10.7b — requires ~8GB RAM.

Lets the DNS Scanner read query logs and add domains to your block list. Required for DNS Scanner to function with NextDNS. Get your key and Profile ID at my.nextdns.io → Settings → API.

Reads Pi-hole v6 query logs for the DNS Scanner. GuardDex uses the Pi-hole API to pull recent DNS queries and enrich them with threat intelligence. Set the URL to your Pi-hole web interface and paste the App Password from Pi-hole Settings → API / App Passwords.

Reads Technitium DNS Server query logs for the DNS Scanner. GuardDex uses the Technitium API with a token to fetch recent DNS events. Get your API token from Technitium web UI → Administration → Sessions → Create Token.

Adds country, city, ASN, and proxy/VPN detection to IP reputation enrichment. Once wired in, every flagged IP will show where it's coming from and whether it's routing through a known anonymizer. Free GeoLite2 database available — register at maxmind.com to get your Account ID and License Key.

The gold standard for email breach lookups. Checks against 12+ billion compromised accounts across 700+ data breaches. Used by the Breach Monitor for email checks. Get a key at haveibeenpwned.com/API/Key — $3.50/month, unlimited queries.

Secondary breach database covering leaks not always in HIBP. Checks email and phone numbers. Free tier available. Get a key at leakcheck.io.

Third breach source — aggregates data from different leak communities than HIBP or LeakCheck. Covers email and phone. Get a key at leak-lookup.com.

Internet-wide port scanner and device index. Used by the Breach Monitor to report open ports, CVEs, and organisation info for IP lookups. Also enriches DNS scanner verdicts for suspicious IPs. Free tier: 1 query/sec. Get a key at account.shodan.io.

Dual-purpose: (1) verifies email deliverability before breach checks — catches typos and disposable addresses; (2) looks up email infrastructure for domains in the DNS Scanner — legitimate businesses with real email records get a reduced threat score (legitimacy signal). Get a key at hunter.io/api-keys.

Two complementary free feeds from the abuse.ch security project. URLhaus tracks active malware distribution URLs (live host count, online/offline status). ThreatFox is a community IOC database covering C2 servers, malware droppers, and phishing infrastructure. Both run on every DNS scanner batch. Register at abuse.ch.

Google's real-time phishing and malware URL blocklist — updated every 30 minutes, covers billions of URLs. Strong signal with very low false-positive rate. Runs at Tier 1 in the DNS scanner, so a Safe Browsing hit alone is enough to flag a domain. Enable at Google Cloud Console → Safe Browsing API → Create Key. Free up to 10k req/day.

Community-curated phishing URL database — human-verified submissions from security researchers worldwide. Complements Safe Browsing for phishing detection. Key is optional (anonymous requests are more rate-limited). Register at phishtank.com.

Distinguishes mass internet scanners from targeted attacks. A GreyNoise "malicious" hit means the IP is actively attacking networks right now. A "benign" RIOT hit (known CDN or cloud infra) reduces the threat score and protects against false positives. Community tier at viz.greynoise.io — free, 100 req/day.

Community IP reputation database — security teams worldwide report abusive IPs. Confidence score 0–100 based on recent reports. Used to flag IPs associated with spam, port scanning, brute force, and C2. Get a key at abuseipdb.com. Free tier: 1,000 checks/day.

Open Threat Exchange — community-submitted threat intelligence pulses covering IPs, domains, and file hashes. Over 100k contributors. Provides pulse count and malware family context. Note: OTX is research-heavy with higher false-positive rate than Spamhaus or Safe Browsing — GuardDex uses it as a soft signal only, capped at 26% weight. Free at otx.alienvault.com → API Keys.

Norwegian CERT passive DNS database — tracks historical IP resolutions for domains. GuardDex uses it to detect fast-flux infrastructure (domains that cycle through many IPs rapidly — a strong C2 indicator). Free community access with a key. Register at mnemonic.io/resources/community-apis.

Scans URLs and domains through 70+ antivirus engines simultaneously. GuardDex runs VT only at Tier 3 — meaning only domains still flagged after both Haiku passes and Tier 1+2 intel are checked, preserving your 500/day quota. A VT clean result also counter-balances noisy OTX data to prevent false positives. Get a key at virustotal.com.

Sandbox that screenshots URLs and analyzes JavaScript, redirects, and resource loading. GuardDex queries URLScan for historical scan results — if a domain was previously scanned and flagged malicious, that's a strong signal. Free at urlscan.io. 5,000 lookups/day on free tier.

Community threat intelligence with risk scoring (none/low/medium/high/critical) and categorical tags. Good at surfacing domains tied to specific threat campaigns. Free at pulsedive.com. 30 requests/minute on free tier.

Certificate transparency and host scanning data. GuardDex uses Censys to check domain cert history — brand-new domains with no prior SSL certificates or Let's Encrypt-only issuers are a phishing indicator. Needs both an API ID and Secret from search.censys.io/account/api. The ID is a UUID, not a short key.

Fraud and proxy detection — assigns a fraud score 0–100 combining VPN/proxy/TOR detection, bot likelihood, and ISP reputation. GuardDex runs IPQS only at Tier 4, meaning only when Tiers 1–3 already confirmed a threat — so cost stays minimal. Get a key at ipqualityscore.com. Paid per query but very low volume in normal use.

The most trusted anti-spam and malware blocklist in the world. GuardDex uses Spamhaus ZEN (IP reputation), DBL (domain blocklist), and SBL/XBL/DROP for C2 and botnet detection. These are extremely low false-positive rate — a Spamhaus hit is a near-certain threat. DQS (Data Query Service) gives higher rate limits. Register at spamhaus.com. Credentials set in .env directly (key + user).

Recommended defaults: battleship nodes should disable Attack Studio, TestBench, and Sandbox.

Controls how long logged-in sessions last. Default 1440 minutes (24 hours).

GuardDex runs as a systemd service. Restart applies saved .env changes.

Bash session on the GuardDex server. Starts in /opt/Guarddex0. Admin only.