What is CrowdSec — Open Source Collaborative Security Engine?

CrowdSec is a collaborative security engine that analyzes logs, detects attacks, and shares threat intelligence. Like fail2ban but with crowd-sourced IP reputation and modern architecture.

Is CrowdSec — Open Source Collaborative Security Engine free to use?

Yes. CrowdSec — Open Source Collaborative Security Engine is freely available on TokRepo. Check the Source & Thanks section on the asset page for the specific open-source license.

How do I install CrowdSec — Open Source Collaborative Security Engine?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

CrowdSec — Open Source Collaborative Security Engine

What CrowdSec Does

Log Analysis: Parse and analyze logs from nginx, Apache, SSH, WordPress, Traefik, and 100+ sources
Attack Detection: Identify brute force, DDoS, web scanning, credential stuffing, and bot attacks
IP Blocking: Automatically block malicious IPs via iptables, nginx, Cloudflare, or any bouncer
Crowd Intelligence: Share and receive threat signals from the CrowdSec community network
IP Reputation: Access crowd-sourced IP reputation database (1M+ malicious IPs)
Scenarios: Customizable detection rules for any type of attack pattern
Bouncers: Remediation components for firewalls, reverse proxies, CDNs, and applications
Console: Web dashboard for monitoring and managing your CrowdSec fleet
API: Local API for managing decisions and querying threat intelligence

Architecture

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  Log Sources │────▶│  CrowdSec    │────▶│  Bouncers    │
│  nginx       │     │  Engine      │     │  iptables    │
│  SSH         │     │  (Go)        │     │  nginx       │
│  WordPress   │     │              │     │  Cloudflare  │
│  Traefik     │     │  Parsers     │     │  HAProxy     │
│  Custom logs │     │  Scenarios   │     └──────────────┘
└──────────────┘     │  Decisions   │
                     └──────┬───────┘
                            │
                     ┌──────┴───────┐
                     │  CrowdSec    │
                     │  Central API │
                     │  (Community  │
                     │   Blocklists)│
                     └──────────────┘

Self-Hosting

Docker Compose

services:
  crowdsec:
    image: crowdsecurity/crowdsec:latest
    volumes:
      - /var/log/nginx:/var/log/nginx:ro
      - /var/log/auth.log:/var/log/auth.log:ro
      - crowdsec-data:/var/lib/crowdsec/data
      - crowdsec-config:/etc/crowdsec
    environment:
      COLLECTIONS: "crowdsecurity/nginx crowdsecurity/linux crowdsecurity/sshd"
    restart: unless-stopped

  bouncer-firewall:
    image: crowdsecurity/crowdsec-firewall-bouncer-nftables:latest
    network_mode: host
    cap_add:
      - NET_ADMIN
    volumes:
      - crowdsec-bouncer:/etc/crowdsec
    depends_on:
      - crowdsec

volumes:
  crowdsec-data:
  crowdsec-config:
  crowdsec-bouncer:

How It Works

1. Parsing (Log Analysis)

Nginx access log:
192.168.1.100 - - [10/Apr/2024:14:30:00] "POST /wp-login.php HTTP/1.1" 401 ...

CrowdSec parses:
  → Source IP: 192.168.1.100
  → Action: POST
  → Target: /wp-login.php
  → Status: 401 (unauthorized)

2. Detection (Scenarios)

# Brute force scenario
type: leaky
filter: evt.Meta.log_type == 'http_access-log' && evt.Meta.http_path == '/wp-login.php' && evt.Meta.http_status == '401'
groupby: evt.Meta.source_ip
capacity: 5        # 5 failed attempts
leakspeed: 10s     # within 10 seconds
blackhole: 5m      # ban for 5 minutes
labels:
  type: wordpress_bruteforce

3. Decision (Action)

Alert: IP 192.168.1.100 triggered wordpress_bruteforce
Decision: Ban for 5 minutes
  → Local: iptables bouncer blocks IP
  → Community: Signal shared (anonymized)
  → Console: Alert visible in dashboard

4. Community Intelligence

Your CrowdSec ←→ CrowdSec Central API
  → Share: "IP X performed brute force attack"
  → Receive: Blocklist of 1M+ known malicious IPs
  → Benefit: Pre-emptively block known attackers

Available Collections

# Install detection scenarios
cscli collections install crowdsecurity/nginx
cscli collections install crowdsecurity/sshd
cscli collections install crowdsecurity/linux
cscli collections install crowdsecurity/wordpress
cscli collections install crowdsecurity/traefik
cscli collections install crowdsecurity/postfix
cscli collections install crowdsecurity/dovecot

Bouncers (Remediation)

Bouncer	Action
iptables/nftables	Block at firewall level
nginx	Return 403 or CAPTCHA
Cloudflare	Add to CF firewall rules
HAProxy	Block at load balancer
WordPress	Block at application level
Traefik	Middleware plugin
Custom webhook	Any custom action

CrowdSec vs fail2ban

Feature	CrowdSec	fail2ban
Language	Go	Python
Performance	High (compiled)	Moderate
Community blocklist	Yes (1M+ IPs)	No
Architecture	Modular (parser+scenario+bouncer)	Monolithic
Dashboard	Web console	CLI only
Multi-server	Centralized API	Per-server
CAPTCHA option	Yes	No
API	REST API	No
Container support	Native Docker	Manual

常见问题

Q: CrowdSec 和 fail2ban 怎么选？ A: 如果你只需要基本的 SSH 暴力破解防护，fail2ban 足够。如果你需要多服务防护、社区威胁情报、Web UI 管理和更好的性能，选 CrowdSec。CrowdSec 的众包 IP 声誉数据库是最大优势。

Q: 社区情报分享安全吗？ A: CrowdSec 只分享匿名化的攻击信号（攻击者 IP + 攻击类型），不分享你的日志内容或服务器信息。你可以选择不参与社区分享（但会失去社区 blocklist 访问）。

Q: 会误封正常用户吗？ A: CrowdSec 使用"场景"触发机制，需要多次恶意行为才会触发封禁（如 5 次失败登录）。你可以配置白名单 IP、调整触发阈值、使用 CAPTCHA 替代直接封禁来减少误报。

来源与致谢

GitHub: crowdsecurity/crowdsec — 13K+ ⭐ | MIT
官网: crowdsec.net