CrowdSec: Real-time & crowdsourced protection against aggressive IPs


CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban’s philosophy but is IPV6 compatible and 60x faster (Go vs Python), it uses Grok patterns to parse logs and YAML scenarios to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM-based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone’s security.

Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user-friendly design and assistance offer a low technical barrier of entry and nevertheless a high security gain.

Once an unwanted behavior is detected, deal with it through a bouncer. The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.

CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten.

Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, and rule out false positives or poisoning attempts.

Main Features

In addition to the core “detect and react” mechanism, CrowdSec is committed to several other key aspects:

  • Easy Installation: Effortless out-of-the-box installation on all supported platforms.
  • Simplified Daily Operations: Use cscli and the hub for effortless maintenance and keeping your detection mechanisms up-to-date.
  • Reproducibility: The Security Engine can analyze not only live logs but also cold logs, making it easier to detect potential false triggers, conduct forensic analysis, or generate reports.
  • Observability: Providing valuable insights into the system’s activity:
    • Users can view/manage alerts from the (Console).
    • Operations personnel have access to detailed Prometheus metrics (Prometheus).
    • Administrators can utilize a user-friendly command-line interface tool (cscli).
  • API-Centric: All components communicate via an HTTP API, facilitating multi-machine setups.

Key benefits

  • Fast assisted installation, no technical barrier
  • Out of the box detection
  • Easy bouncer deployment
  • Easy dashboard access
  • Hot & Cold logs

Install & Use

Copyright (c) 2020-2023 Crowdsec