WHAT IS IT?
CrowdSec is an open source security engine that acts as an IDS/IPS and WAF. It parses logs from your services (SSH, nginx, apps…), detects malicious patterns and triggers remediations through bouncers deployed on firewalls, reverse proxies or cloud platforms. Beyond local detection, each instance anonymously reports aggressive IPs to a community network that redistributes a blocklist of real-world threats.
WHY IS IT INTERESTING?
- Decoupled detection and remediation: the engine reads logs on one machine, bouncers block somewhere else. Perfect for distributed setups or shared reverse proxies.
- Scenario and parser hub: community-driven library of ready-to-use rules (SSH bruteforce, port scans, web exploits, aggressive scrapers) installable with a single command.
- Community blocklist: you benefit from IPs already reported by other instances before you even get attacked. A genuine network effect, not marketing fluff.
- Bouncers everywhere: iptables, nftables, Traefik, nginx, Cloudflare, AWS WAF, Caddy, HAProxy, Kubernetes… more than 30 official integrations.
- Lightweight and scriptable: single Go binary, local API, clean
cscliCLI, YAML config. Runs on a tiny VPS or a full cluster. - Free console: web dashboard to visualize alerts, decisions and multi-machine instances, without hosting your own Grafana.
USE CASES
- Protect an exposed SSH server against distributed bruteforce attempts.
- Filter traffic on a reverse proxy (Traefik, nginx) facing scanners and aggressive bots.
- Block known malicious IPs upstream of a self-hosted web application.
- Centralize detection across multiple VPS and share decisions through a shared LAPI instance.
- Replace or complement fail2ban with a modern, multi-source and shared approach.