RamNode logo
    Sign UpLogin
    Security Guide

    CrowdSec Deployment

    CrowdSec is a modern, open-source security engine with crowd-sourced threat intelligence. Deploy it on RamNode's reliable VPS hosting for enterprise-grade protection without the enterprise price tag.

    Ubuntu 22.04/24.04
    Crowd-Sourced Intel
    ⏱️ 20-30 minutes

    Why CrowdSec?

    CrowdSec is a modern, open-source security engine designed to protect your servers from malicious behavior. Unlike traditional intrusion prevention systems, CrowdSec leverages crowd-sourced threat intelligence—when one server detects an attack, that information is shared across the network, providing proactive protection for all participants.

    Key Advantages

    • • Crowd-sourced real-time threat data
    • • Lightweight — written in Go
    • • Modular architecture
    • • Multi-service protection
    • • Free and open-source
    • • Optional premium features

    Components

    • Engine: Core detection daemon
    • Collections: Parser + scenario bundles
    • Bouncers: Enforcement (firewall, etc.)
    • Console: Web dashboard
    • Hub: Community scenarios

    Prerequisites

    Before beginning, ensure you have:

    Server Requirements

    • • RamNode VPS with 1GB+ RAM (2GB recommended)
    • • Ubuntu 22.04/24.04, Debian 11/12, or AlmaLinux/Rocky 8/9
    • • Root or sudo access
    • • Firewall configured (UFW, firewalld, or iptables)
    → View Recommended VPS Plans

    Supported Distributions

    • • Ubuntu 22.04 LTS
    • • Ubuntu 24.04 LTS
    • • Debian 11 (Bullseye)
    • • Debian 12 (Bookworm)
    • • AlmaLinux 8/9
    • • Rocky Linux 8/9
    Update System
    sudo apt update && sudo apt upgrade -y
    3

    Install CrowdSec

    CrowdSec provides official repositories for easy installation and updates.

    Add CrowdSec Repository (Ubuntu/Debian)
    curl -s https://install.crowdsec.net | sudo sh

    This script automatically detects your distribution and adds the appropriate repository.

    Install CrowdSec Engine
    # Ubuntu/Debian
sudo apt install crowdsec -y

# RHEL/AlmaLinux/Rocky
sudo dnf install crowdsec -y

    During installation, CrowdSec automatically detects running services and installs appropriate collections.

    Verify Installation
    sudo systemctl status crowdsec
cscli version
    4

    Understanding CrowdSec Architecture

    CrowdSec consists of several key components working together:

    CrowdSec Engine

    The core daemon that parses logs, detects threats, and makes decisions.

    Collections

    Bundles of parsers and scenarios for specific applications (e.g., nginx, sshd).

    Parsers

    Transform raw log lines into structured data for scenario analysis.

    Scenarios

    Define malicious behavior patterns (e.g., "5+ failed SSH logins in 30 seconds").

    Bouncers

    Enforcement components that take action on decisions (blocking IPs, captchas, etc.).

    Decisions

    When a scenario triggers, CrowdSec creates a decision (typically a ban) against the offending IP.

    5

    Configure Collections

    CrowdSec Hub contains community-maintained collections for various services.

    List Installed Collections
    cscli collections list
    Install Collections for Your Services
    # For web servers
sudo cscli collections install crowdsecurity/nginx
sudo cscli collections install crowdsecurity/apache2
sudo cscli collections install crowdsecurity/caddy

# For SSH protection (usually auto-installed)
sudo cscli collections install crowdsecurity/sshd

# For Linux system protection
sudo cscli collections install crowdsecurity/linux

# For common web attacks
sudo cscli collections install crowdsecurity/http-cve

# For WordPress sites
sudo cscli collections install crowdsecurity/wordpress
    Restart After Installing Collections
    sudo systemctl restart crowdsec
    List Available Collections
    cscli hub list
    6

    Configure Log Sources

    CrowdSec needs to know where to find your log files. The main configuration file is /etc/crowdsec/acquis.yaml.

    View Current Acquisition Config
    sudo cat /etc/crowdsec/acquis.yaml

    If CrowdSec didn't auto-detect a service, create a new file in /etc/crowdsec/acquis.d/:

    Create Custom Log Source
    sudo nano /etc/crowdsec/acquis.d/custom.yaml
    /etc/crowdsec/acquis.d/nginx.yaml
    filenames:
  - /var/log/nginx/access.log
  - /var/log/nginx/error.log
labels:
  type: nginx
---
filenames:
  - /var/log/nginx/*/access.log
  - /var/log/nginx/*/error.log
labels:
  type: nginx
    Restart and Verify
    sudo systemctl restart crowdsec
cscli metrics

    💡 Tip: Look for your log files in the "Acquisition Metrics" section to verify they're being read.

    7

    Install a Bouncer

    The CrowdSec engine detects threats but doesn't block them by itself. You need a bouncer to enforce decisions. The firewall bouncer is the most common choice.

    Install Firewall Bouncer
    # For systems using nftables (Ubuntu 22.04+, Debian 11+)
sudo apt install crowdsec-firewall-bouncer-nftables -y

# For systems using iptables
sudo apt install crowdsec-firewall-bouncer-iptables -y

# For RHEL/AlmaLinux/Rocky
sudo dnf install crowdsec-firewall-bouncer-iptables -y
    Verify Bouncer Installation
    cscli bouncers list

    You should see your firewall bouncer listed with a valid API key.

    Alternative Bouncers

    • Nginx bouncer: Application-level blocking with captcha support
    • Cloudflare bouncer: For sites behind Cloudflare
    • Traefik bouncer: For Traefik reverse proxy
    Install Nginx Bouncer (Optional)
    sudo apt install crowdsec-nginx-bouncer -y
    8

    Enroll in CrowdSec Console

    The CrowdSec Console provides a web dashboard for monitoring your instance and accessing the threat intelligence network. Registration is free.

    Create an Account

    Visit app.crowdsec.net and create a free account.

    In the console, navigate to "Security Engines" and click "Add Security Engine." Run the enrollment command:

    Enroll Your Instance
    sudo cscli console enroll <your-enrollment-key>
sudo systemctl restart crowdsec
    Enable Community Blocklists
    sudo cscli console enable --all

    Benefit: Once enrolled, you'll receive consensus-based blocklists that preemptively block known malicious IPs.

    9

    Configure Whitelists

    Prevent accidentally blocking legitimate traffic by configuring whitelists for trusted IPs.

    Edit Whitelist Configuration
    sudo nano /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
    /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
    name: crowdsecurity/whitelists
description: "Whitelist trusted IPs"
whitelist:
  reason: "trusted IPs"
  ip:
    - "127.0.0.1"
    - "::1"
    - "YOUR_HOME_IP"
    - "YOUR_OFFICE_IP"
  cidr:
    - "10.0.0.0/8"
    - "172.16.0.0/12"
    - "192.168.0.0/16"
    Restart After Modifying Whitelists
    sudo systemctl restart crowdsec
    10

    Fine-Tune Detection Settings

    Adjust ban duration and create custom scenarios for your specific needs.

    Adjust Ban Duration

    By default, CrowdSec bans offending IPs for 4 hours. To modify this:

    Edit Profiles
    sudo nano /etc/crowdsec/profiles.yaml
    /etc/crowdsec/profiles.yaml
    name: default_ip_remediation
filters:
  - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
  - type: ban
    duration: 24h  # Changed from 4h to 24h
on_success: break

    Create Custom Scenario

    For example, to detect aggressive port scanning:

    Create Custom Scenario
    sudo nano /etc/crowdsec/scenarios/custom-aggressive-scan.yaml
    /etc/crowdsec/scenarios/custom-aggressive-scan.yaml
    type: leaky
name: custom/aggressive-scan
description: "Detect aggressive port scanning"
filter: evt.Meta.log_type == 'iptables_drop'
groupby: evt.Meta.source_ip
capacity: 20
leakspeed: 10s
blackhole: 2m
labels:
  service: iptables
  type: scan
  remediation: true
    11

    Monitor and Manage CrowdSec

    Use the cscli command-line tool to monitor and manage CrowdSec.

    View Current Decisions (Bans)
    cscli decisions list
    View Alerts
    cscli alerts list
    View Metrics
    cscli metrics

    Shows parsing statistics, scenario triggers, and bouncer activity.

    Manually Ban/Unban an IP
    # Ban an IP
sudo cscli decisions add --ip 192.168.1.100 --reason "manual ban" --duration 24h

# Unban an IP
sudo cscli decisions delete --ip 192.168.1.100
    View Detailed Logs
    sudo tail -f /var/log/crowdsec.log
    12

    Set Up Alerts and Notifications

    CrowdSec supports notifications through various channels.

    Configure Email Notifications
    sudo nano /etc/crowdsec/notifications/email.yaml
    /etc/crowdsec/notifications/email.yaml
    type: email
name: email_alerts
log_level: info
smtp_host: smtp.yourserver.com
smtp_port: 587
smtp_username: alerts@yourdomain.com
smtp_password: your-password
sender_email: crowdsec@yourdomain.com
receiver_emails:
  - admin@yourdomain.com
timeout: 10s

    Enable Notifications in Profiles

    Edit /etc/crowdsec/profiles.yaml:

    profiles.yaml with notifications
    name: default_ip_remediation
filters:
  - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
  - type: ban
    duration: 4h
notifications:
  - email_alerts
on_success: break
    13

    Testing Your Configuration

    Verify CrowdSec is detecting and blocking threats correctly.

    Test Detection

    Simulate failed SSH logins from a test machine (not your current connection):

    Test SSH Detection
    # From a different IP, attempt multiple failed logins
ssh invaliduser@your-vps-ip
    Check for Alerts
    cscli alerts list

    Test Web Protection

    Test Web Attack Detection
    # From a different IP
curl "http://your-vps-ip/../../etc/passwd"
curl "http://your-vps-ip/?id=1' OR '1'='1"

    Verify Bouncer is Working

    Check Firewall Rules
    # Check nftables rules
sudo nft list ruleset | grep crowdsec

# Or for iptables
sudo iptables -L -n | grep -i crowdsec
    14

    Troubleshooting

    CrowdSec Not Starting

    Check logs for errors:

    Check CrowdSec Logs
    sudo journalctl -u crowdsec -f

    Common causes: malformed YAML or permission issues on log files.

    Logs Not Being Parsed

    Verify acquisition configuration:

    Check Metrics
    cscli metrics

    If a log source shows zero lines read, check file permissions and paths.

    Bouncer Not Blocking

    Ensure the bouncer is registered:

    Check Bouncer Status
    cscli bouncers list
sudo journalctl -u crowdsec-firewall-bouncer -f

    False Positives

    If legitimate traffic is being blocked, inspect the alert:

    Inspect Alert
    cscli alerts inspect <alert-id>

    Add the IP to your whitelist or adjust scenario thresholds.

    15

    Maintenance and Updates

    Update CrowdSec
    sudo apt update && sudo apt upgrade crowdsec crowdsec-firewall-bouncer-nftables
    Update Scenarios and Parsers
    sudo cscli hub update
sudo cscli hub upgrade
sudo systemctl restart crowdsec
    Backup Configuration
    sudo tar -czvf crowdsec-backup.tar.gz /etc/crowdsec/

    Security Best Practices

    • ✅ Enable automatic updates for CrowdSec packages
    • ✅ Monitor the Console dashboard regularly to understand attack patterns
    • ✅ Review alerts weekly to identify false positives
    • ✅ Combine with other security layers such as fail2ban
    • ✅ Keep your whitelist minimal to maintain security effectiveness
    • ✅ Use community blocklists for proactive protection
    • ✅ Set up notifications for significant security events

    🎉 Congratulations!

    CrowdSec is now protecting your RamNode VPS with enterprise-grade security. Malicious actors will find their IPs blocked not just on your server, but potentially across thousands of other CrowdSec-protected systems worldwide.