ConfigsApr 10, 2026·1 min read

CrowdSec — Open Source Collaborative Security Engine

CrowdSec is a collaborative security engine that analyzes logs, detects attacks, and shares threat intelligence. Like fail2ban but with crowd-sourced IP reputation and modern architecture.

AI
AI Open Source · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

# Install on Linux
curl -s https://install.crowdsec.net | sudo sh
sudo apt install crowdsec crowdsec-firewall-bouncer-iptables

# Or Docker
docker run -d --name crowdsec 
  -v /var/log:/var/log:ro 
  -v crowdsec-data:/var/lib/crowdsec/data 
  -v crowdsec-config:/etc/crowdsec 
  crowdsecurity/crowdsec:latest

CrowdSec immediately starts analyzing logs and blocking malicious IPs.

Intro

CrowdSec is an open-source, collaborative security engine that detects and blocks malicious behavior. It analyzes server logs (nginx, SSH, WordPress, etc.), identifies attack patterns, and takes remediation actions (block IPs, CAPTCHA, throttle). The key differentiator: CrowdSec shares anonymized threat signals across all users, creating a crowd-sourced IP reputation network.

With 13K+ GitHub stars and MIT license, CrowdSec is the modern replacement for fail2ban, offering better performance, crowd-sourced intelligence, and a modular architecture.

What CrowdSec Does

  • Log Analysis: Parse and analyze logs from nginx, Apache, SSH, WordPress, Traefik, and 100+ sources
  • Attack Detection: Identify brute force, DDoS, web scanning, credential stuffing, and bot attacks
  • IP Blocking: Automatically block malicious IPs via iptables, nginx, Cloudflare, or any bouncer
  • Crowd Intelligence: Share and receive threat signals from the CrowdSec community network
  • IP Reputation: Access crowd-sourced IP reputation database (1M+ malicious IPs)
  • Scenarios: Customizable detection rules for any type of attack pattern
  • Bouncers: Remediation components for firewalls, reverse proxies, CDNs, and applications
  • Console: Web dashboard for monitoring and managing your CrowdSec fleet
  • API: Local API for managing decisions and querying threat intelligence

Architecture

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  Log Sources │────▶│  CrowdSec    │────▶│  Bouncers    │
│  nginx       │     │  Engine      │     │  iptables    │
│  SSH         │     │  (Go)        │     │  nginx       │
│  WordPress   │     │              │     │  Cloudflare  │
│  Traefik     │     │  Parsers     │     │  HAProxy     │
│  Custom logs │     │  Scenarios   │     └──────────────┘
└──────────────┘     │  Decisions   │
                     └──────┬───────┘
                            │
                     ┌──────┴───────┐
                     │  CrowdSec    │
                     │  Central API │
                     │  (Community  │
                     │   Blocklists)│
                     └──────────────┘

Self-Hosting

Docker Compose

services:
  crowdsec:
    image: crowdsecurity/crowdsec:latest
    volumes:
      - /var/log/nginx:/var/log/nginx:ro
      - /var/log/auth.log:/var/log/auth.log:ro
      - crowdsec-data:/var/lib/crowdsec/data
      - crowdsec-config:/etc/crowdsec
    environment:
      COLLECTIONS: "crowdsecurity/nginx crowdsecurity/linux crowdsecurity/sshd"
    restart: unless-stopped

  bouncer-firewall:
    image: crowdsecurity/crowdsec-firewall-bouncer-nftables:latest
    network_mode: host
    cap_add:
      - NET_ADMIN
    volumes:
      - crowdsec-bouncer:/etc/crowdsec
    depends_on:
      - crowdsec

volumes:
  crowdsec-data:
  crowdsec-config:
  crowdsec-bouncer:

How It Works

1. Parsing (Log Analysis)

Nginx access log:
192.168.1.100 - - [10/Apr/2024:14:30:00] "POST /wp-login.php HTTP/1.1" 401 ...

CrowdSec parses:
  → Source IP: 192.168.1.100
  → Action: POST
  → Target: /wp-login.php
  → Status: 401 (unauthorized)

2. Detection (Scenarios)

# Brute force scenario
type: leaky
filter: evt.Meta.log_type == 'http_access-log' && evt.Meta.http_path == '/wp-login.php' && evt.Meta.http_status == '401'
groupby: evt.Meta.source_ip
capacity: 5        # 5 failed attempts
leakspeed: 10s     # within 10 seconds
blackhole: 5m      # ban for 5 minutes
labels:
  type: wordpress_bruteforce

3. Decision (Action)

Alert: IP 192.168.1.100 triggered wordpress_bruteforce
Decision: Ban for 5 minutes
  → Local: iptables bouncer blocks IP
  → Community: Signal shared (anonymized)
  → Console: Alert visible in dashboard

4. Community Intelligence

Your CrowdSec ←→ CrowdSec Central API
  → Share: "IP X performed brute force attack"
  → Receive: Blocklist of 1M+ known malicious IPs
  → Benefit: Pre-emptively block known attackers

Available Collections

# Install detection scenarios
cscli collections install crowdsecurity/nginx
cscli collections install crowdsecurity/sshd
cscli collections install crowdsecurity/linux
cscli collections install crowdsecurity/wordpress
cscli collections install crowdsecurity/traefik
cscli collections install crowdsecurity/postfix
cscli collections install crowdsecurity/dovecot

Bouncers (Remediation)

Bouncer Action
iptables/nftables Block at firewall level
nginx Return 403 or CAPTCHA
Cloudflare Add to CF firewall rules
HAProxy Block at load balancer
WordPress Block at application level
Traefik Middleware plugin
Custom webhook Any custom action

CrowdSec vs fail2ban

Feature CrowdSec fail2ban
Language Go Python
Performance High (compiled) Moderate
Community blocklist Yes (1M+ IPs) No
Architecture Modular (parser+scenario+bouncer) Monolithic
Dashboard Web console CLI only
Multi-server Centralized API Per-server
CAPTCHA option Yes No
API REST API No
Container support Native Docker Manual

常见问题

Q: CrowdSec 和 fail2ban 怎么选? A: 如果你只需要基本的 SSH 暴力破解防护,fail2ban 足够。如果你需要多服务防护、社区威胁情报、Web UI 管理和更好的性能,选 CrowdSec。CrowdSec 的众包 IP 声誉数据库是最大优势。

Q: 社区情报分享安全吗? A: CrowdSec 只分享匿名化的攻击信号(攻击者 IP + 攻击类型),不分享你的日志内容或服务器信息。你可以选择不参与社区分享(但会失去社区 blocklist 访问)。

Q: 会误封正常用户吗? A: CrowdSec 使用"场景"触发机制,需要多次恶意行为才会触发封禁(如 5 次失败登录)。你可以配置白名单 IP、调整触发阈值、使用 CAPTCHA 替代直接封禁来减少误报。

来源与致谢

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

BookStack — Simple Self-Hosted Documentation & Wiki Platform

BookStack is a simple, self-hosted documentation platform organized by Shelves, Books, Chapters, and Pages. WYSIWYG/Markdown editor, LDAP, and powerful search.

AI Open Source

IT Tools — Collection of Developer Utilities with Beautiful UX

IT Tools is a self-hosted collection of 80+ handy developer tools — UUID generator, hash calculator, JWT decoder, JSON formatter, cron parser, and more. All in one beautiful interface.

AI Open Source

changedetection.io — Self-Hosted Website Change Monitoring

changedetection.io monitors websites for content changes and sends alerts. Track price drops, restock alerts, content updates, and page modifications automatically.

AI Open Source
Home🔍Search👤Me