Video tutorial coming soon.
Deploy CrowdSec on Ubuntu — the modern, open-source intrusion prevention system that learns from the community and blocks attackers before they reach your services.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/crowdsec/crowdsec-ubuntu.sh
chmod +x crowdsec-ubuntu.sh
sudo bash crowdsec-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/crowdsec/crowdsec-ubuntu.shchmod +x crowdsec-ubuntu.shScript installs the CrowdSec security engine, community blocklists, and log parsers for SSH, Nginx, and common services. The engine starts analyzing logs immediately.
sudo bash crowdsec-ubuntu.shInstall a bouncer to actually block detected IPs: choose the Nginx bouncer, Traefik bouncer, or firewall bouncer (iptables/nftables) based on your stack.
sudo cscli bouncers add my-bouncerUse the CLI to inspect detections: `cscli decisions list` shows currently blocked IPs. Connect to the CrowdSec console at app.crowdsec.net for a graphical dashboard.
sudo cscli metrics
sudo cscli decisions list| Port | Purpose |
|---|---|
| 8080 | Local API |
| 6060 | Metrics / Prometheus |
CrowdSec is a modern, open-source intrusion prevention system that separates detection from remediation. The security engine reads your service logs (SSH, Nginx, Apache, MySQL, etc.), parses them with community-maintained parsers, and identifies attack patterns using behavioral scenarios. When an attacker is detected, the engine creates a 'decision' — and a bouncer plugin enforces that decision by blocking the IP at the firewall, in Nginx, in Traefik, or wherever you install the bouncer. CrowdSec also participates in a collective defense network — IPs you block are shared with the community (anonymized), and you receive community blocklists of known-bad IPs in return.
Most VPS servers face thousands of SSH brute-force attempts daily. CrowdSec detects these patterns from logs and blocks the source IP across all your services simultaneously — the attacker hitting your SSH server gets blocked at Nginx too. The community intelligence means you block IPs that others have already identified as malicious, even before they attack you. Unlike Fail2ban, CrowdSec's parsers and scenarios are maintained by a community and updated continuously.
The CrowdSec Local API listens on port 8080 (HTTP, local only — bouncers communicate with the engine here). The Prometheus metrics endpoint is on port 6060. Neither port should be exposed to the internet — they are used exclusively by local bouncers and monitoring tools. The firewall bouncer adds iptables/nftables rules automatically to block detected IPs on all ports.
Fail2ban is the traditional alternative — simpler but with manually maintained regex rules and no community intelligence sharing. Wazuh includes IPS-like active response but is a full SIEM requiring 4+ GB RAM. pfSense/OPNsense with Suricata or Snort provides network-level IPS but requires dedicated firewall hardware. For web-only protection, Cloudflare's free plan provides bot protection at the CDN layer without any server-side software.
Skip CrowdSec if your services are behind Cloudflare's proxy — Cloudflare already handles most bot and brute-force traffic. CrowdSec is also not a substitute for a full SIEM — it does not store logs long-term or provide compliance reporting. If you need deep event correlation, alerting on internal behavior, and compliance dashboards, Wazuh is the right tool. CrowdSec is best as a lightweight first line of defense that complements (not replaces) other security tools.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
The CrowdSec engine is the detection component — it reads logs, parses them, and identifies attack patterns using scenarios. When it detects an attacker, it creates a 'decision' (ban, captcha, etc.) and stores it in the Local API. The bouncer is the enforcement component — it polls the Local API for decisions and actually blocks traffic. You need both: the engine to detect, and at least one bouncer to block. Common bouncers are the firewall bouncer (iptables/nftables) and the Nginx bouncer.
CrowdSec shares anonymized signal data with the community network. When your engine detects an attack, it sends the source IP, the scenario triggered, and a timestamp to CrowdSec's central API — no log content or personal data. In return, you receive the community blocklist of IPs that others have identified as malicious. You can opt out of signal sharing in `config.yaml` by setting `api.server.online_client.credentials_path` to disable CrowdSec Central API enrollment.
Fail2ban uses regex-based log parsing with manually maintained rules. CrowdSec uses a more structured parser/scenario system with community-maintained content updated via the Hub. CrowdSec separates detection (engine) from enforcement (bouncer), allowing you to plug in different blocking mechanisms. Most importantly, CrowdSec participates in collective defense — sharing and receiving threat intelligence with the global community. Fail2ban has no such network effect. CrowdSec is also easier to extend and has better multi-service support.
Yes — install CrowdSec on the Docker host (not inside a container) so it can read the host's logs and apply firewall rules. Configure log collection to include Docker container logs (usually in `/var/lib/docker/containers/`). For Nginx or Traefik running in Docker, mount the log directory to the host and point CrowdSec's parser at it. The Traefik bouncer runs inside the Traefik container via middleware configuration.
Delete the decision immediately: `cscli decisions delete --ip BLOCKED_IP`. The block is lifted within seconds once the bouncer polls the Local API. To prevent recurrence, add the IP to the allowlist: `cscli allowlists add ip LEGITIMATE_IP`. If the same legitimate IP keeps triggering the scenario, investigate which log pattern is causing it and consider a custom allowlist rule for that specific scenario. CrowdSec does not automatically unban — you must delete the decision manually.
Install the crowdsec-nginx-bouncer package for your OS. Then generate an API key: `cscli bouncers add nginx-bouncer` and copy the key. Edit the bouncer's config file (`/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf`) and paste the API key. Restart both the bouncer service and Nginx. The bouncer adds a Lua module to Nginx that checks incoming IPs against the CrowdSec Local API on every request and returns a 403 for banned IPs.
Yes — CrowdSec has parsers for 100+ services via the Hub: Apache, MySQL, PostgreSQL, WordPress, Nextcloud, Gitea, Traefik, HAProxy, and more. Install additional parsers with `cscli collections install crowdsecurity/SERVICE-NAME`. Each collection includes a log parser and one or more behavioral scenarios. Custom parsers can also be written in YAML if your application has a unique log format not covered by the Hub.
The CrowdSec Console (app.crowdsec.net) is a free SaaS dashboard that lets you visualize detections, manage blocklists, and monitor multiple CrowdSec instances from one UI. It is optional — CrowdSec works fully offline without it. To connect, run `cscli console enroll YOUR_ENROLL_KEY` from your server. The Console is most useful when you manage multiple servers and want a single pane of glass for your CrowdSec deployments.