Logo 8b2bcaf21851f390f18ea9600e6a9fa3 1x Esm W900

CrowdSec is a massively multiplayer firewall designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent. It was inspired by Fail2Ban and aims to be a modernized, collaborative version of that intrusion-prevention tool.


CrowdSec is free and open-source (under an MIT License), with the source code available on GitHub. It is using a behavior analysis system to qualify whether someone is trying to hack you, based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to “immunize” them against this IP.

The goal is to leverage the crowd power to create a real-time IP reputation database. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner you feel appropriate. Ultimately, CrowdSec leverages the power of the crowd to create an extremely accurate IP reputation system that benefits all its users.

It was clear to the founders that open source was going to be one of the main pillars of CrowdSec. First because they have been working on open source projects for decades. They didn’t just jump on the train. They are strong open source believers. Second because the crowd is key to the mass hacking plague and Open Source is the best lever to create a community and have people bring their knowledge to contribute to the project and make it better.

The solution recently turned 1.x, introducing a major architectural change: the introduction of a local REST API.

In this tutorial, we are going to cover how to install and run CrowdSec on a Linux server:

  • CrowdSec setup 

  • Testing detection capabilities

  • Bouncer set up

  • Observability 

How Can I Set Up the CrowdSec Environment?

The machine used for this test is a Debian 10 Buster t2.medium EC2.

To make it more relevant, let’s start by installing nginx:

$ sudo apt-get update

$ sudo apt-get install nginx

Configure the security groups so that both secure shell (SSH) (tcp/22) and HTTP (tcp/80) can be reached from the outside world. This will be useful for simulating attacks later.

How Can I Install CrowdSec?

Grab the latest version of CrowdSec:

$ curl -s https://api.github.com/repos/crowdsecurity/crowdsec/releases/latest | grep browser_download_url| cut -d '"' -f 4  | wget -i -