Explained and set up: Crowdsec - the better Fail2Ban alternative?
15.06.2025
Timo Wevelsiep
Support wanted for your cloud infrastructure? WZ-IT takes over consulting, conception, setup, operation, support and monitoring of your infrastructure.
Arrange a free appointment now
CrowdSec is a free, open-source intrusion prevention system (IPS) that analyzes suspicious activity on your servers and automatically blocks attackers. The special feature: All users share anonymized attack signatures with each other - creating a global threat database in real time that offers protection through swarm intelligence.
Why CrowdSec and not Fail2Ban?
| Criterion | CrowdSec | Fail2Ban |
|---|---|---|
| Community Shield | Yes, shared blocklists worldwide | No |
| Multi-layered | Agent + flexible bouncers | iptables/jail only |
| Web dashboard | Optional with Metabase/Grafana | No |
| Scenario language | YAML-based patterns (simple) | Regex-based filters |
| Ecosystem | > 25 bouncers (Nginx, Cloudflare ... ) | Limited actions |
Architecture at a glance
CrowdSec consists of the security engine that runs on your servers and an optional web dashboard that visualizes the data collected at . The engine analyzes log files in real time and detects suspicious patterns. In the event of an attack, the attacker is automatically blocked and the signature is transmitted to the CrowdSec community.
Installation in 5 minutes (Debian/Ubuntu)
# Add repository
curl -s https://install.crowdsec.net | sudo sh
# Install security engine
apt install crowdsec
# Install iptables bouncer
sudo apt install crowdsec-firewall-bouncer-iptables
# Restart CrowdSec engine
service crowdsec restart
Set up CrowdSec console
Since we have already installed CrowdSec, we scroll down in the Console and copy the installation command for the console.
We paste this into our terminal and execute it:
sudo cscli console enroll -e context cmbwirxts0003l508ooeg42mq
Now we need to confirm the enrollment in the CrowdSec console. To do this, we go to the CrowdSec console and click on "Enrollments". If we refresh the page, we will see the following:
Now we restart the CrowdSec engine so that the configuration is applied:
sudo service crowdsec restart
We now see our security engine in the CrowdSec console and can view the collected data.
We can also see how attacks have already been detected and blocked:
Conclusion
We have now successfully installed and configured CrowdSec. The engine now analyzes the log files in real time and automatically blocks attackers via the iptables bouncer. Thanks to the integration into the CrowdSec community, we benefit from a global threat database that is constantly updated.
A list of available bouncers can be found here.
