10 of 10: CrowdSec in the Docker Container.

Or: Protecting my Builds with Crowd-Sourced Security.

10 of 10: CrowdSec in the Docker Container.

Homelab | LXD Manager | Docker | Docker Desktop | Deno | MariaDB | Portainer | More Docker | Docker Swarm | CrowdSec


Install CrowdSec in a Docker container to detect and block malicious traffic using collective threat intelligence, providing real-time protection and easy management for containerized environments.

An Introduction.

My previous post in this 8-part mini-series covered how I installed Docker Swarm for remote Docker containers. This time, I'm going to show how I install CrowdSec in the Docker container.

The purpose of this post is to install CrowdSec in the Docker container.

CrowdSec is an open-source collaborative security system that detects and blocks malicious traffic in real-time. It works by:

  1. Detecting malicious traffic behaviours on individual servers running the CrowdSec Security Engine,

  2. Sharing detected threats with the CrowdSec network to build threat intelligence, and

  3. Providing this threat intelligence back to all nodes in the network to help them detect and block similar threats.

In essence, it leverages the wisdom of the crowd to identify new threats and stop them before they cause damage.

CrowdSec has two main components:

  1. The CrowdSec Security Engine - This detects malicious traffic behaviours by analyzing log files from services like Nginx, Apache, iptables, etc. It can run on Linux, Windows and containerized environments.

  2. The CrowdSec Console - This is a web interface that allows me to monitor threats detected by the CrowdSec Security Engine, get alerts, and access the shared threat intelligence from the CrowdSec network.

When the CrowdSec Security Engine detects malicious behavior, it will:

  • Block the offending IP address using a firewall bouncer plugin,

  • Share anonymous details about the threat with the CrowdSec network, and

  • Receive threat intelligence from the CrowdSec network to improve its detection capabilities.

The shared threat intelligence includes information like:

  • Country of origin,

  • Autonomous system,

  • Aggressiveness level,

  • Type of attack,

  • And more.

This intelligence can then be accessed via the CrowdSec Console or CrowdSec API to get insights into flagged IP addresses. It can also be integrated with threat intelligence platforms and security orchestration systems.

The Big Picture.

We often need to grow beyond our comfort zone. The world changes and we (sometimes) change with it. Programmers are no different but are less averse to learning new things and trying new... things. There's an adage that goes "If it ain't broke, don't fix it" but, as engineers, we go out of our way to break things on purpose.

CrowdSec is a Big Picture example of our collective mindset. We had a well-considered tool called Fail2Ban. It did exactly what I wanted. But when the mice learned to defeat the mousetrap (and walk away with my cheese) everyone who used Fail2Ban had a problem. Luckily, I belong to an industry of problem solvers. Not only is CrowdSec a better mousetrap (compared to Fail2Ban) but it invisibly spreads its processing requirements across every installation. Clever.

I am very lucky to work in a field where engineers love showing off their skills.

Installing CrowdSec.

  • From a terminal (CTRL + ALT + T) that is connected to the Docker container, I Install the CrowdSec repository:
  curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash

NOTE: Curl will need to be installed for this command to work:

sudo apt install -y curl
  • After downloading the repo details, I update the package list:
  sudo apt update
  • I install CrowdSec:
  sudo apt install crowdsec

NOTE: During installation, CrowdSec will detect existing services like Nginx, Apache, etc. and configure itself automatically.

After installation, I can manage CrowdSec using the cscli command line client.

  • Here are some useful cscli commands are:
sudo cscli metrics #view statistics
sudo cscli alerts list #view alerts
sudo cscli decisions list #view blocking decisions
sudo cscli parsers list #list parsers
sudo cscli scenarios list #list scenarios



  • To block attacks, I will need to install a bouncer. The firewall bouncer cs-firewall-bouncer can be installed with this command:
  wget https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v0.0.12/cs-firewall-bouncer.tgz
  tar xzvf cs-firewall-bouncer.tgz
  cd cs-firewall-bouncer-v0.0.12/
  sudo ./install.sh
  • I will then need to configure the bouncer API key in /etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml.

  • I can add components from the CrowdSec Hub using cscli:

  sudo cscli postoverflows install crowdsecurity/seo-bots-whitelist
  sudo systemctl reload crowdsec

The Results.

CrowdSec provides collaborative detection, prevention and intelligence about malicious traffic. It's open source, free to use and easy to setup and manage.

I explored the installation and setup of CrowdSec in a Docker container, enhancing the security of my container by leveraging the power of collective threat intelligence. This open-source solution provides real-time protection and easy management, making it an essential addition to my homelab or any containerized environment.

Both CrowdSec and Fail2ban are open-source intrusion prevention tools that detect and block malicious activity. However, there are some key differences:


  • Uses a dynamic rule engine that analyzes logs in real-time to determine threats and block IPs. The rules adapt as threats evolve.

  • Leverages threat intelligence from a global community of CrowdSec users to identify and block emerging attacks.

  • Has machine learning capabilities that improve detection accuracy over time.

  • Is designed for scalability and high performance, even under heavy load.

  • Offers integration with various security tools and platforms.


  • Uses a static rule-based approach where rules are defined manually.

  • Relies only on logs from the local server - it does not share threat intelligence with other users.

  • Has no machine-learning capabilities.

  • Is not as scalable and may impact performance under high load.

  • Has limited integration options.

CrowdSec is the better choice for:

  • Detecting and blocking unknown threats through community threat intelligence and machine learning,

  • Handling large deployments and high traffic due to its scalable architecture, and

  • Integrating with your existing security tools and platforms.

Fail2ban is better suited for:

  • Simple deployments with well-defined threats and rules, and

  • Systems with limited resources where performance is crucial.

For most modern infrastructure, CrowdSec will provide a more robust and proactive intrusion prevention solution thanks to its dynamic rule engine, threat intelligence, machine learning and scalability. However, Fail2ban is still a good option for basic protection on resource-constrained systems.

In Conclusion.

CrowdSec has proven that one indisputable fact is true: This is an opportunity for clever programmers to build some awesome threat-analysis tools. Developers, hosting providers, and ISPs can easily install open-source solutions that provide a safe Internet experience. These server-based, network-enabled, AI-powered, auto-evolving, self-regulating, semi-autonomous utilities can coordinate their resources to clean up a bulk of the Internet. Yes, I see a subscription opportunity on the horizon: A service where clients contribute small amounts of processor time to the mission: Squash spam, vanquish viruses, and smash spammers.

Until next time: Be safe, be kind, be awesome.

Homelab | LXD Manager | Docker | Docker Desktop | Deno | MariaDB | Portainer | More Docker | Docker Swarm | CrowdSec