CrowdSec – Intelligent Linux Server Protection Against Botnets, Brute-Force Attacks and Internet Scanning

If you run a Linux server with Nginx, SSH, or WordPress, you probably already know Fail2Ban. It is a solid tool, but it works locally — it blocks only the IP addresses that attacked your server.

CrowdSec works in a completely different way. It is a protection system based on shared IP reputation. If thousands of servers worldwide detect a malicious IP address, your server can block it before an attack even happens.

How Does CrowdSec Work?

analyzes system logs (nginx, ssh, wordpress)
detects suspicious behavior
shares attacker IP intelligence with other servers
blocks traffic at the firewall level

The result? Most bots and internet scanners never even reach your Nginx server.

Installing CrowdSec on Debian / Ubuntu

CrowdSec installation is very simple and available directly from Debian repositories.

apt update
apt install crowdsec

1 2	apt update apt install crowdsec

During installation, CrowdSec automatically:

creates a local API (LAPI)
registers the server in CrowdSec Central API
downloads default security scenarios

Installing Firewall Bouncer

CrowdSec detects threats, but it requires an enforcement component — called a bouncer — which blocks traffic at the firewall level.

apt install crowdsec-firewall-bouncer

1	apt install crowdsec-firewall-bouncer

By default, the bouncer uses nftables and automatically adds blocking rules for malicious IP addresses.

Installing Security Collections

Collections include log parsers and attack detection scenarios.

cscli collections install crowdsecurity/nginx
cscli collections install crowdsecurity/wordpress
cscli collections install crowdsecurity/base-http-scenarios
cscli collections install crowdsecurity/sshd

cscli collections install crowdsecurity/nginx

cscli collections install crowdsecurity/wordpress

cscli collections install crowdsecurity/base-http-scenarios

cscli collections install crowdsecurity/sshd

Reload configuration after installation:

systemctl reload crowdsec

1	systemctl reload crowdsec

Configuring Nginx Logs

To allow CrowdSec to analyze HTTP traffic, you must specify Nginx log files.

Edit the file:

nano /etc/crowdsec/acquis.yaml

1	nano /etc/crowdsec/acquis.yaml

Add the following configuration:

filenames:
- /var/log/nginx/access*.log
- /var/log/nginx/error*.log
labels:
type: nginx

filenames:

- /var/log/nginx/access*.log

- /var/log/nginx/error*.log

labels:

type: nginx

Then restart the service:

systemctl restart crowdsec

1	systemctl restart crowdsec

Verifying CrowdSec Operation

Service status:

systemctl status crowdsec

1	systemctl status crowdsec

Active bans list:

cscli decisions list

1	cscli decisions list

Operational metrics:

cscli metrics

1	cscli metrics

Final Result

After proper CrowdSec installation:

the server automatically blocks known botnets
WordPress attacks and SSH brute-force attempts are stopped at the firewall
Nginx handles significantly less malicious traffic
server CPU and IO usage are noticeably reduced

CrowdSec can be considered an evolution of Fail2Ban — a system that not only reacts locally but also benefits from global threat intelligence.