What is CrowdSec?
CrowdSec is an open-source, community-powered security engine. It detects attacks on your server and shares threat intelligence with the community — like a collaborative Fail2Ban.
How It Works
Log Files → CrowdSec Engine → Detect Patterns → Block IPs
↕
Community Threat FeedInstallation
curl -s https://install.crowdsec.net | sudo bash
sudo apt install -y crowdsec crowdsec-firewall-bouncer-iptablesDefault Protection
Out of the box, CrowdSec protects against:
| Scenario | Collection |
|---|---|
| SSH brute force | crowdsecurity/sshd |
| Nginx attacks | crowdsecurity/nginx |
| HTTP scanners | crowdsecurity/http-cve |
| Bad bots | crowdsecurity/whitelist |
Adding Collections
# List available collections
cscli collections list -a
# Install Apache protection
cscli collections install crowdsecurity/apache2
# Install WordPress protection
cscli collections install crowdsecurity/wordpress
# Install MariaDB protection
cscli collections install crowdsecurity/mariadbMonitoring
# View decisions (banned IPs)
cscli decisions list
# View alerts
cscli alerts list
# View metrics
cscli metricsManual Actions
# Ban an IP for 24 hours
cscli decisions add --ip 203.0.113.50 --duration 24h --reason "Manual ban"
# Unban an IP
cscli decisions delete --ip 203.0.113.50CrowdSec vs Fail2Ban
| Feature | CrowdSec | Fail2Ban |
|---|---|---|
| Community threat feed | Yes | No |
| Multi-server sync | Yes | No |
| Detection engine | Log + behavior analysis | Regex on logs |
| Console dashboard | Yes (free) | No |
| Performance | Faster (Go-based) | Slower (Python) |
| Configuration | YAML + hub | Regex filters |
Tip CrowdSec and Fail2Ban can run together. Many admins use CrowdSec for its community intelligence while keeping Fail2Ban for custom rules they've built over time.
Console Dashboard
Register at app.crowdsec.net for a free dashboard showing:
- Blocked attacks across all your servers
- Top attacking IPs and countries
- Alert timeline and trends