crowdsecurity/crowdsec

★ 13,318GoAudience · ops devopsComplexity · 3/5LicenseSetup · moderate

Mindmap

mindmap
  root((CrowdSec))
    Detection
      Log analysis
      Brute-force
      Port scans
    Community
      Shared blocklists
      IP reputation feed
      Hub scenarios
    Remediation
      Firewall bouncer
      CDN bouncer
      K8s ingress
    Platforms
      Linux Windows
      Docker
      Kubernetes

mindmap root((CrowdSec)) Detection Log analysis Brute-force Port scans Community Shared blocklists IP reputation feed Hub scenarios Remediation Firewall bouncer CDN bouncer K8s ingress Platforms Linux Windows Docker Kubernetes

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Protect an SSH server from brute-force login attempts by automatically detecting and blocking offending IP addresses.

USE CASE 2

Block malicious web crawlers and vulnerability scanners from reaching your web server using live community-sourced blocklists.

USE CASE 3

Add a security layer to a Kubernetes cluster by installing a CrowdSec bouncer on the ingress controller.

USE CASE 4

Subscribe to the Community Blocklist to block IPs flagged by thousands of other CrowdSec users before they ever reach your server.

Tech stack

Getting it running

Difficulty · moderate Time to first run · 1h+

Requires installing the CrowdSec agent and at least one separate bouncer component to actually block traffic, detection and blocking are decoupled.

Detection scenarios are available under the MIT license, free to use, modify, and share including in commercial setups.

In plain English

CrowdSec is an open-source security tool written in Go that monitors your server logs and incoming HTTP requests for signs of malicious behavior, then blocks the responsible IP addresses. It reads log files from services like web servers, SSH daemons, and others, looking for patterns such as brute-force login attempts, port scans, or automated web crawlers probing for weaknesses. The detection side functions as an intrusion detection system, the actual blocking is handled by separate components you install alongside it. What distinguishes CrowdSec from a standalone firewall is its community sharing model. When your installation detects and reports a malicious IP address, that data is contributed to a shared network. In return, your server receives the Community Blocklist: a live feed of IP addresses already flagged by CrowdSec users around the world. Your server can start blocking known bad actors before they ever attempt to reach you, based on attacks other users have already seen. Detection rules are called scenarios and are available under the MIT license on the project hub. The hub lets you browse and install pre-built scenarios for common attack types, or write your own. Blocking is applied through remediation components, also called bouncers, which you install at different points in your infrastructure: the firewall, a CDN, a specific application, or a Kubernetes ingress controller. CrowdSec installs on Linux, Windows, Docker, Kubernetes, and several other platforms. A web console is available for visualizing security events and managing configuration. Premium blocklists and additional threat intelligence are available as paid offerings on top of the free open-source core.

Copy-paste prompts

Prompt 1

How do I install CrowdSec on Ubuntu and configure it to protect SSH from brute-force attacks, including setting up the iptables firewall bouncer?

Prompt 2

Write a custom CrowdSec scenario that flags an IP when it makes more than 20 requests to /wp-admin within 30 seconds.

Prompt 3

How do I set up CrowdSec in Docker Compose to protect a Nginx reverse proxy and enable the Community Blocklist feed?

Prompt 4

Show me how to list all IPs currently banned by CrowdSec and whitelist a false positive using the cscli command-line tool.

Open on GitHub → Explain another repo

← crowdsecurity on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.