Imagine having a neighborhood watch that not only spots suspicious activity but also shares information with other neighborhoods, creating a massive security network that protects everyone. That’s exactly what CrowdSec does for your servers.
CrowdSec is a modern, collaborative intrusion prevention system (IPS) that detects and blocks malicious behavior. Unlike traditional security tools that work in isolation, CrowdSec shares threat intelligence with a global community, making it smarter and more effective over time.
In 2026, with cyber attacks becoming increasingly sophisticated, CrowdSec offers a powerful, free, and community-driven solution for protecting your servers.
What is CrowdSec?
The Simple Explanation
CrowdSec is like a smart security guard that:
- Watches what’s happening on your server
- Learns what normal behavior looks like
- Detects suspicious activity
- Blocks attackers automatically
- Shares threat information with others
CrowdSec vs Traditional Tools
| Feature | CrowdSec | [Fail2ban](/blog/cybersecurity/fail2ban-guide-2026) | Traditional firewall |
|---|---|---|---|
| Learning | AI-powered | Simple patterns | No learning |
| Collaboration | Yes (global) | No | No |
| False Positives | Low | Medium | Low |
| Complexity | Moderate | Simple | Simple |
| Detection | Behavioral | Pattern-based | Rule-based |
| Community | Global | Limited | None |
How CrowdSec Works
1. CrowdSec collects logs from your system
2. Analyzes behavior using patterns (scenarios)
3. Detects attacks (SSH brute force, web scraping, etc.)
4. Blocks the attacker via firewall
5. Reports attack to CrowdSec community
6. Receives updates about new attacks from others
All working together in real-time!Installing CrowdSec
Method 1: One-Line Installation (Ubuntu/Debian)
# Install CrowdSec with one command
curl -s https://crowdsec.net/install.sh | sudo bash
# This will:
# - Add CrowdSec repository
# - Install CrowdSec
# - Start the service
# - Enable auto-startMethod 2: Package Installation
Ubuntu/Debian:
# Add CrowdSec repository
sudo curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
# Install CrowdSec
sudo apt install crowdsec -y
# Install firewall bouncer (blocks IPs)
sudo apt install crowdsec-firewall-bouncer-iptables -yCentOS/RHEL/Rocky Linux:
# Add CrowdSec repository
sudo curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash
# Install CrowdSec
sudo dnf install crowdsec -y
# Install firewall bouncer
sudo dnf install crowdsec-firewall-bouncer-iptables -yMethod 3: Docker Installation
# Pull CrowdSec image
docker pull crowdsec/crowdsec:latest
# Run CrowdSec
docker run -d \
--name crowdsec \
-v /var/log:/var/log:ro \
-v /etc/crowdsec:/etc/crowdsec \
-p 8080:8080 \
crowdsec/crowdsec
# Run firewall bouncer
docker run -d \
--name crowdsec-firewall-bouncer \
--cap-add=NET_ADMIN \
-v /etc/crowdsec:/etc/crowdsec \
--network=host \
crowdsec/firewall-bouncer-iptablesVerify Installation
# Check CrowdSec service
sudo systemctl status crowdsec
# Check firewall bouncer
sudo systemctl status crowdsec-firewall-bouncer
# Check CrowdSec version
cscli version
# See if it's working
sudo cscli metricsBasic Configuration
Initial Setup
# View current configuration
sudo cscli config show
# Edit main configuration
sudo nano /etc/crowdsec/config.yaml
# Key settings to check:
# - api_url: https://api.crowdsec.net
# - install_id: your-instance-id
# - data_dir: /var/lib/crowdsec/data
# - log_dir: /var/log/crowdsecSetting Up Your Profile
# Register with CrowdSec community (recommended)
sudo cscli register
# You'll get an email with validation link
# Click the link to complete registration
# Check registration status
sudo cscli register --status
# Enable community updates
sudo cscli updateUnderstanding Collections
Collections are pre-made groups of security rules (called “scenarios”) and “bouncers” (actions).
Viewing Available Collections
# List all collections
sudo cscli collections list
# See installed collections
sudo cscli collections list --installed
# Search for specific collections
sudo cscli collections list --search sshInstalling Collections
# Most common: Basic security collection
sudo cscli collections install crowdsecurity/linux
# SSH protection
sudo cscli collections install crowdsecurity/ssh
# Web server protection
sudo cscli collections install crowdsecurity/nginx
# Apache protection
sudo cscli collections install crowdsecurity/apache
# WordPress protection
sudo cscli collections install crowdsecurity/wordpress
# Install multiple at once
sudo cscli collections install crowdsecurity/linux crowdsecurity/ssh crowdsecurity/nginxUpdating Collections
# Update all collections
sudo cscli update
# Force update
sudo cscli update --force
# See what's been updated
sudo cscli update --verboseScenarios (Attack Detection Rules)
Scenarios are the brains of CrowdSec—they detect attacks.
Viewing Scenarios
# List available scenarios
sudo cscli scenarios list
# See installed scenarios
sudo cscli scenarios list --installed
# Get details about a scenario
sudo cscli scenarios inspect crowdsecurity/ssh-bfCommon Scenarios
| Scenario | Detects | Description |
|---|---|---|
crowdsecurity/ssh-bf | SSH brute force | Multiple failed SSH logins |
crowdsecurity/ssh-bf | SSH user enum | User enumeration attempts |
crowdsecurity/http-bf | HTTP brute force | Login page attacks |
crowdsecurity/http-scan | Web scanning | Directory enumeration |
crowdsecurity/http-cve | Exploit attempts | Known vulnerability attacks |
crowdsecurity/apache-bf | Apache attacks | Apache login brute force |
crowdsecurity/nginx-bf | Nginx attacks | Nginx login brute force |
Creating Custom Scenarios
# Create a custom scenario file
sudo nano /etc/crowdsec/scenarios/local/my-scenario.yaml
# Example: Detect too many 404 errors
# my-scenario.yaml
name: my-custom-scenario
description: "Detect excessive 404 errors"
filter: |
evt.Meta.service == 'nginx' &&
evt.Meta.http_status == '404' &&
evt.Meta.remote_ip != ''
groupby: evt.Meta.remote_ip
capacity: 5
leak: 60s
blackhole: 5m
labels:
type: scan
service: nginx
confidence: 3
# Reload scenarios
sudo cscli reloadBouncers (Actions)
Bouncers are what actually block the attackers.
Viewing Bouncers
# List available bouncers
sudo cscli bouncers list
# See active bouncers
sudo cscli bouncers list --activeInstalling Bouncers
# Firewall bouncer (IPTables)
sudo apt install crowdsec-firewall-bouncer-iptables
# Firewall bouncer (NFtables)
sudo apt install crowdsec-firewall-bouncer-nftables
# Cloudflare bouncer (for websites)
sudo cscli bouncers install cloudflare
# Geolocation bouncer (block by country)
sudo cscli bouncers install geolocation
# LAPI bouncer (API-based)
sudo cscli bouncers install lapiConfiguring Firewall Bouncer
# Edit firewall bouncer config
sudo nano /etc/crowdsec/bouncers/iptables.yaml
# Key settings:
# - api_url: http://localhost:8080
# - api_key: your-api-key
# - action: drop (or reject)
# - blacklist_ipv4: yes
# - blacklist_ipv6: yes
# Restart bouncer
sudo systemctl restart crowdsec-firewall-bouncer
# Check if it's working
sudo cscli metricsCSLI Command Line Tool
CSLI is your main tool for managing CrowdSec.
Basic Commands
# Show status
sudo cscli status
# Show metrics
sudo cscli metrics
# Show alerts
sudo cscli alerts list
# Show decisions (blocked IPs)
sudo cscli decisions list
# Show all decisions (including community)
sudo cscli decisions list --include-scenario
# Check logs
sudo cscli logsManaging Decisions
# Add a decision (block IP)
sudo cscli decisions add -i 192.168.1.100 -d "Manual block"
# Remove a decision (unblock IP)
sudo cscli decisions remove -i 192.168.1.100
# List decisions for a specific IP
sudo cscli decisions list -i 192.168.1.100
# List active decisions
sudo cscli decisions list --active
# Add ban with duration
sudo cscli decisions add -i 192.168.1.100 -d 1h
# Add ban with reason
sudo cscli decisions add -i 192.168.1.100 --reason "Suspicious activity"Managing Alerts
# List recent alerts
sudo cscli alerts list --limit 10
# List alerts for a specific IP
sudo cscli alerts list -i 192.168.1.100
# Show alert details
sudo cscli alerts inspect <alert-id>
# Acknowledge an alert
sudo cscli alerts acknowledge <alert-id>Machine Management
# List machines
sudo cscli machines list
# Add a machine
sudo cscli machines add <machine-name>
# Remove a machine
sudo cscli machines remove <machine-name>Monitoring and Logs
Viewing CrowdSec Logs
# Main CrowdSec log
sudo journalctl -u crowdsec -f
# Firewall bouncer logs
sudo journalctl -u crowdsec-firewall-bouncer -f
# Last 100 lines
sudo journalctl -u crowdsec -n 100
# Logs from today
sudo journalctl -u crowdsec --since today
# Real-time monitoring
sudo journalctl -u crowdsec -f --output=catMonitoring Dashboard (Optional)
# Install LAPI web interface
sudo cscli lapi install
# Access dashboard:
http://your-server-ip:8080
# Default credentials:
Username: admin
Password: (check /etc/crowdsec/local_api_credentials.yaml)CrowdSec Metrics
# Show all metrics
sudo cscli metrics
# Show metrics for specific bouncer
sudo cscli metrics --bouncer firewall
# Show metrics for specific scenario
sudo cscli metrics --scenario crowdsecurity/ssh-bf
# Export metrics (JSON format)
sudo cscli metrics --output jsonAdvanced Features
1. Community Blocklist
CrowdSec shares attack information globally:
# Enable community sharing
sudo nano /etc/crowdsec/config.yaml
# Set: enrollment_enabled: true
# Register your machine
sudo cscli machines add crowdsec --enroll
# Check community sync status
sudo cscli metrics | grep community2. Custom Actions
# Create custom action for blocking
sudo nano /etc/crowdsec/actions/local/my-action.yaml
# Example: Send email alert
name: email-alert
type: script
command: /usr/local/bin/alert-email.sh
labels:
action: email
# Create alert script
sudo nano /usr/local/bin/alert-email.sh
#!/bin/bash
IP=$1
SCENARIO=$2
echo "Attack detected from $IP ($SCENARIO)" | mail -s "CrowdSec Alert" admin@domain.com
# Make executable
sudo chmod +x /usr/local/bin/alert-email.sh3. GeoIP Blocking
# Install GeoIP support
sudo apt install crowdsec-geoip
# Configure GeoIP
sudo nano /etc/crowdsec/bouncers/geolocation.yaml
# Block countries
# - China
# - Russia
# - North Korea
# Apply GeoIP blocking
sudo cscli bouncers add geolocation4. Blacklist Management
# Add IP to global blacklist
sudo cscli decisions add -i 203.0.113.5 -d "Global blacklist"
# Add subnet to blacklist
sudo cscli decisions add -i 203.0.113.0/24 -d "Blacklisted subnet"
# Create blacklist from file
sudo cscli decisions add -f /path/to/ip-list.txtReal-World Examples
Example 1: Protecting SSH Server
# Install SSH collection
sudo cscli collections install crowdsecurity/ssh
# Verify it's installed
sudo cscli collections list --installed | grep ssh
# Monitor SSH attacks
sudo journalctl -u crowdsec -f | grep ssh
# See blocked SSH attackers
sudo cscli decisions list --scenario crowdsecurity/ssh-bf
# Test with multiple failed logins
# (Use another terminal to test)
for i in {1..6}; do
ssh wronguser@localhost
done
# Check if IP got blocked
sudo cscli decisions list --ip 127.0.0.1Example 2: Protecting Nginx Web Server
# Install Nginx collection
sudo cscli collections install crowdsecurity/nginx
# Install HTTP detection
sudo cscli collections install crowdsecurity/http-cve
# Check Nginx logs are being parsed
sudo tail -f /var/log/nginx/access.log
# Detect directory enumeration attempts
# (From another terminal)
for path in admin login wp-admin dashboard; do
curl -s http://localhost/$path > /dev/null
done
# Check for alerts
sudo cscli alerts list --scenario crowdsecurity/http-scanExample 3: WordPress Protection
# Install WordPress collection
sudo cscli collections install crowdsecurity/wordpress
# Add custom Wordfence-like rules
sudo nano /etc/crowdsec/scenarios/local/wordpress-exploit.yaml
# Monitor WordPress attacks
sudo journalctl -u crowdsec -f | grep wordpress
# Check blocked IPs
sudo cscli decisions list --scenario crowdsecurity/wordpress-bfExample 4: Integrating with NPM
# Install Nginx Proxy Manager logs
sudo mkdir -p /var/log/nginx-proxy-manager
# Configure CrowdSec for NPM logs
sudo nano /etc/crowdsec/acquis.yaml
# Add:
filenames:
- /var/log/nginx-proxy-manager/*.log
labels:
type: nginx
# Restart CrowdSec
sudo systemctl restart crowdsec
# Test by making multiple failed requests
for i in {1..10}; do
curl -s -k https://localhost:81 -o /dev/null
doneTroubleshooting
Issue 1: CrowdSec Not Starting
# Check service status
sudo systemctl status crowdsec
# Check logs
sudo journalctl -u crowdsec -n 50
# Check configuration syntax
sudo cscli config verify
# Repair configuration
sudo cscli config repair
# Start with debug mode
sudo crowdsec -debugIssue 2: Not Blocking IPs
# Check bouncer status
sudo systemctl status crowdsec-firewall-bouncer
# Check decisions
sudo cscli decisions list
# Test with manual block
sudo cscli decisions add -i 192.168.1.100
# Check if blocking works
sudo iptables -L -n | grep 192.168.1.100Issue 3: Too Many False Positives
# View recent alerts
sudo cscli alerts list --limit 20
# Add trusted IPs to whitelist
sudo nano /etc/crowdsec/whitelists.yaml
# Add:
whitelists:
- ip: 192.168.1.0/24
name: local_network
- ip: 10.0.0.0/8
name: internal_network
# Reload CrowdSec
sudo systemctl restart crowdsecIssue 4: High CPU Usage
# Check CPU usage
top -p $(pidof crowdsec)
# Reduce log processing
sudo nano /etc/crowdsec/config.yaml
# Set: log_level: warning
# Limit concurrent processing
sudo nano /etc/crowdsec/api.yaml
# Set: max_workers: 2
# Restart
sudo systemctl restart crowdsecIssue 5: API Connection Issues
# Check API status
curl -s http://localhost:8080/health
# Check API credentials
sudo cat /etc/crowdsec/local_api_credentials.yaml
# Reset API key
sudo cscli machines remove localhost
sudo cscli machines add localhost
# Check LAPI logs
sudo journalctl -u crowdsec -f | grep lapiBest Practices
1. Start with Basic Collections
# Install only what you need
sudo cscli collections install crowdsecurity/linux
sudo cscli collections install crowdsecurity/ssh2. Use Whitelists
# Always whitelist trusted IPs
sudo nano /etc/crowdsec/whitelists.yaml
# Common whitelists:
# - 127.0.0.0/8 (localhost)
# - 192.168.0.0/16 (local network)
# - 10.0.0.0/8 (internal network)
# - Your monitoring tools
# - Your office IP3. Monitor Regularly
# Create monitoring script
sudo nano /usr/local/bin/monitor-crowdsec.sh
#!/bin/bash
echo "=== CrowdSec Status ==="
sudo cscli status
echo -e "\n=== Recent Alerts ==="
sudo cscli alerts list --limit 5
echo -e "\n=== Active Decisions ==="
sudo cscli decisions list --limit 5
echo -e "\n=== Banned IPs ==="
sudo cscli decisions list --active --count
# Schedule daily check
sudo crontab -e
# Add:
0 8 * * * /usr/local/bin/monitor-crowdsec.sh | mail -s "CrowdSec Daily Report" admin@domain.com4. Keep Updated
# Update collections weekly
sudo cscli update
sudo cscli reload
# Schedule automatic updates
sudo crontab -e
# Add:
0 4 * * 0 sudo cscli update && sudo cscli reload5. Test Your Configuration
# Test with simulated attacks
# Create test script
sudo nano /usr/local/bin/test-crowdsec.sh
#!/bin/bash
# Simulate SSH attacks
echo "Testing SSH detection..."
for i in {1..6}; do
ssh test@localhost 2>/dev/null
done
# Simulate web attacks
echo "Testing web detection..."
for path in admin wp-admin login.php; do
curl -s http://localhost/$path -o /dev/null
done
# Wait for detection
sleep 10
# Check if blocked
sudo cscli decisions list --count
# Make executable
sudo chmod +x /usr/local/bin/test-crowdsec.shIntegration with Other Tools
1. UFW Integration
# Install UFW bouncer
sudo cscli bouncers add ufw
# Configure UFW
sudo nano /etc/crowdsec/bouncers/ufw.yaml
# Test blocking
sudo cscli decisions add -i 192.168.1.100
sudo ufw status | grep 192.168.1.1002. Cloudflare Integration
# Install Cloudflare bouncer
sudo cscli bouncers add cloudflare
# Configure Cloudflare API
sudo nano /etc/crowdsec/bouncers/cloudflare.yaml
# Add:
# api_key: your-cloudflare-api-key
# zone_id: your-zone-id
# Test block
sudo cscli decisions add -i 203.0.113.5 --scenario "cloudflare"3. Grafana Dashboard
# Install Prometheus exporter
sudo cscli metrics enable prometheus
# Configure Grafana
# Add Prometheus data source
# Import CrowdSec dashboard (ID: 12345)
# Dashboard URL:
http://your-server-ip:3000Quick Reference
Essential CrowdSec Commands
# Installation
curl -s https://crowdsec.net/install.sh | sudo bash
# Status
sudo cscli status
sudo cscli metrics
# Collections
sudo cscli collections list
sudo cscli collections install crowdsecurity/linux
# Scenarios
sudo cscli scenarios list
# Decisions
sudo cscli decisions list
sudo cscli decisions add -i IP
sudo cscli decisions remove -i IP
# Alerts
sudo cscli alerts list
# Logs
sudo journalctl -u crowdsec -f
sudo journalctl -u crowdsec-firewall-bouncer -f
# Updates
sudo cscli update
sudo cscli reload
# Registration
sudo cscli registerConclusion
CrowdSec is a powerful, modern solution for protecting your servers from cyber attacks. Its collaborative approach makes it smarter than traditional tools, and its open-source nature makes it accessible to everyone.
Key Takeaways:
- CrowdSec is free and open-source
- It detects and blocks attacks automatically
- Community sharing makes it smarter over time
- Easy to install and configure
- Works with existing security tools
- Regular updates keep it effective
Your Next Steps:
- Install CrowdSec using one-liner
- Install basic collections (linux, ssh)
- Configure firewall bouncer
- Set up whitelists
- Monitor logs and alerts
- Register with community
- Add more collections as needed
Ready to secure more of your infrastructure? Check out our Complete Server Security Guide for more protection strategies.
Frequently Asked Questions (FAQs)
Q: Is CrowdSec really free? A: Yes! CrowdSec is completely open-source and free to use for personal and commercial use.
Q: How is CrowdSec different from Fail2ban? A: CrowdSec uses behavioral analysis, has a global community, and is more accurate with fewer false positives.
Q: Do I need to open any ports for CrowdSec? A: Only if you’re running the LAPI (API) service (port 8080). The firewall bouncer doesn’t require open ports.
Q: How much does CrowdSec protect? A: CrowdSec can protect SSH, web servers, applications, and more. The community adds new scenarios regularly.
Q: Does CrowdSec work with Docker? A: Yes, CrowdSec has official Docker images and works well with containerized environments.
Q: Is CrowdSec good for beginners? A: Yes! The one-line installation makes it very beginner-friendly. Default configurations work well out of the box.
Q: Will CrowdSec block legitimate users? A: Rarely. CrowdSec has intelligent detection and whitelisting features to prevent false positives.
Discussion
Loading comments...