Secure Linux server with CrowdSec

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

CrowdSec is an Open-Source-security tool to notice and ward off malicious behavior like Brute-Force-attacks, portscans or bot activities. It analyzes log files in real time, detects suspicious patterns and can block attackers via so-called Bouncers.

The community of CrowdSec reports detected attacker-IPs. These are collected in the data base and distributed on all connected systems. Therefore, a shared block list is created that protects all users from known threats.

Advantages and disadvantages of CrowdSec

advantages disadvantages
Protection of common attacks (for example SSH-Brute-Force, Portscans) setup requires technical know-how
automatic blocking of malicious IPs via so-called Bouncer no global DDoS-protection like at Cloudflare
distributed protection through community-shared block lists Protection works primary on server level, not on application level
local installable → full control of own infrastructure may require additional system resources
extendable with scenarios, parsers, and user-defined rules less „Plug-and-Play“ than cloud-services
Open Source and free to use multiple servers should participate for maximum effect (community-effect)

Result: CrowdSec is suitable for administrators who host their own server environments and want flexible security. In comparison to cloud services like Cloudflare, CrowdSec works directly on server level and offers a high degree of control. However, it requires more technical knowledge for the installation and the operation.

Compatible operating systems

CrowdSec is available for the following platforms:

  • Linux
  • Windows
  • FreeBSD
  • macOS
  • Docker
  • Kubernetes
  • OPNsense
  • pfSense

Installation under Debian 12

CrowdSec under Debian 12 is setup in this example:

Updating system

First, the system should get updated: 

sudo apt update && sudo apt upgrade -y

Add and install repository

Now, the official repository from CrowdSec can be setup. 

curl -s https://install.crowdsec.net | sudo sh

The script sets up the official repository and installs CrowdSec. You can alternatively install the following after the repository setup: 

sudo apt install crowdsec
  • CrowdSec is installed.
    CrowdSec is installed.

The Security Engine is set up. It detects attacks, but does not block it yet.

Installation of Firewall-Bouncer

A Bouncer is required to ward off attacks actively.

The following command installs, for example, a firewall bouncer for iptables. 

sudo apt install crowdsec-firewall-bouncer-iptables

Configuration

Account (optional)

CrowdSec functions locally without cloud connection. For additional functions like threat data synchronization, global block lists and the central administration, an account in the CrowdSec Console is recommended.

Connecting servers with console

The server can be registered after creating an account: 

sudo cscli console enroll -e <code>TOKEN</code>

You can get the token in the CrowdSec console.

  • Call up token in the CrowdSec console.
    Call up token in the CrowdSec console.
  • Server successfully connected.
    Server successfully connected.

Adjustment of options and functions

CrowdSec offers a modular architecture with lots of configuration options:

  • activate/deactivate Parser: determines which log files are analyzed (SSH, nginx, Apache, Postfix etc.)
  • define scenarios: YAML-based rules that determine which patterns are considered attacks
  • configure Bouncer: for example firewall, HTTP-Captcha or Cloudflare integration
  • adjust Ban duration: temporarily or (for example 4h) permanently
  • add Whitelist rules: own IPs or exclude trusted networks
  • set up notifications: alerts via email, Syslog or integrations
  • view live attack detection in the console

The configuration is made via /etc/crowdsec/, per CLI cscli or via CrowdSec Console.

CrowdSec console

The web-based CrowdSec console enables a central administration of all instances. Functions:

  • Real-time overview about attacks, blocked IPs and active bans
  • view and activate global block lists
  • administrate and adjust scenarios
  • API-key for additional bouncer or produce sytems
  • Visualisation of running attacks in diagrams and time series
  • Overview of connected servers (engines).
    Overview of connected servers (engines).
  • Selection available block lists.
    Selection available block lists.
  • Details about block list.
    Details about block list.
  • Assign block list to an engine.
    Assign block list to an engine.

More information

Author: Adrian Zillner

Adrian Zillner has been working in Technical Service at Thomas-Krenn AG since May 2025. He is responsible for supporting customers and answering questions about technical issues.

Translator: Alina Ranzinger

Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.


Related articles

Installation and configuration of PhpMyAdmin
Show article
Protection of PC from Meltdown and Spectre
Show article
Random Reboots AMD EPYC server
Show article