Torna alla DocumentazioneCrowdSec is an open source security system that analyzes your server logs, detects malicious behavior and automatically blocks IPs. Unlike Fail2ban, it shares information about attackers with the entire community: if one IP attacks a CrowdSec server anywhere in the world, it gets preventively blocked on all others.
Installation
# Add CrowdSec repository
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash
# Install CrowdSec
apt install crowdsec -y
# Check status
systemctl status crowdsec
cscli version
Bouncer (The Component That Actually Blocks IPs)
CrowdSec detects attacks but delegates blocking to a "bouncer". The most common is the firewall bouncer:
# Install bouncer for iptables/nftables
apt install crowdsec-firewall-bouncer-iptables -y
# Verify it's active
systemctl status crowdsec-firewall-bouncer
Default Installed Scenarios
CrowdSec automatically installs scenarios to detect:
# View active scenarios
cscli scenarios list
# Add additional scenarios
cscli scenarios install crowdsecurity/nginx-req-limit-exceeded
cscli scenarios install crowdsecurity/http-crawl-non_statics
cscli scenarios install crowdsecurity/http-bad-user-agent
- SSH brute force
- HTTP brute force
- Port scan
- Path traversal
- WordPress exploit
Add Log Sources
# View active collections (bundle of parser + scenarios)
cscli collections list
# Install collection for Nginx
cscli collections install crowdsecurity/nginx
# Install collection for Apache
cscli collections install crowdsecurity/apache2
# Install collection for WordPress
cscli collections install crowdsecurity/wordpress
# After adding collections, restart
systemctl restart crowdsec
Make sure log paths are configured in /etc/crowdsec/acquis.yaml:
# /etc/crowdsec/acquis.yaml
- /var/log/nginx/access.log
- /var/log/nginx/error.log
labels:
type: nginx
- /var/log/auth.log
labels:
type: syslog
- filenames:
- filenames:
Daily Commands
# View active bans
cscli decisions list
# View detected alerts (attacks)
cscli alerts list
# Manually ban an IP
cscli decisions add --ip 1.2.3.4 --reason "test" --duration 24h
# Remove a ban
cscli decisions delete --ip 1.2.3.4
# Permanent whitelist of an IP
cscli whitelists add --ip 1.2.3.4 --reason "Office IP"
# Statistics
cscli metrics
Community Blocklist (Known Malicious IPs)
By registering for free at app.crowdsec.net and linking your instance, you get access to the community's global blocklist:
# Link your instance (generate key at app.crowdsec.net)
cscli console enroll ENROLLMENT_KEY
# Restart
systemctl restart crowdsec
The community blocklist includes millions of IPs known for malicious activity (scanners, botnets, bruteforcers). It's updated in real-time and free for personal use.
Local Web Dashboard
# Install local web dashboard (optional)
docker run -d \
--name crowdsec-dashboard \
-e GIN_MODE=release \
-e CROWDSEC_LAPI_KEY=$(cscli bouncers add dashboard -o raw) \
-p 3000:3000 \
--network host \
crowdsecurity/crowdsec-dashboard
CrowdSec vs Fail2ban
| CrowdSec | Fail2ban | |
|---|---|---|
| Threat Intelligence | ✅ Global community | ❌ Local only |
| Performance | ✅ Much faster | ⚠️ Slow on large logs |
| Configuration | ✅ Simple YAML | ⚠️ Complex regex |
| Multi-server | ✅ Native | ❌ Not supported |
| False Positives | Low | Higher |
| Project Age | Recent (2020) | Mature (2004) |
CrowdSec is the recommended replacement for new installations. If you already have Fail2ban configured, you can keep it: but start new servers with CrowdSec.
Articoli correlati
Base Server Hardening
Checklist of fundamental security operations to secure a new VPS before putting it into production
Fail2ban: Brute Force Protection
How to install and configure Fail2ban to protect your server from SSH and web brute force attacks
Change SSH Port
How to change SSH port to reduce automatic brute force attempts from bots and scanners on the internet
DeluxHost, fondata nel 2023, offre soluzioni di hosting di alta qualità per diverse esigenze digitali. Forniamo hosting condiviso, VPS e server dedicati con sicurezza avanzata e datacenter globali.
