🛡️ Network & identity defence
CrowdSec
Community-driven IPS and behaviour-based threat detection.
Why use it
CrowdSec parses logs locally, detects malicious behaviour (bruteforce, scanning, exploits), and shares IoCs across the community. You benefit from millions of other deployments' detections — a free, federated threat intel feed.
What you get
- Local detection scenarios (SSH bruteforce, web exploits, etc.)
- Bouncers for nginx, Apache, iptables, Cloudflare to enforce blocks
- Community blocklist updated continuously
- Console dashboard for fleet management
- Free Premium threat intel feeds
System requirements
| Cpu | minimal |
|---|---|
| Ram | 256 MB |
| Disk | 500 MB |
| Os | Linux, Windows, Docker |
| Docker | Yes |
Installation
curl -s https://install.crowdsec.net | sudo sh. Then install relevant collections: sudo cscli collections install crowdsecurity/sshd crowdsecurity/nginx. Add a bouncer that fits your stack (firewall-bouncer for iptables, nginx-bouncer for web).
Suggested configuration
Sign up for the free CrowdSec Console to enable community blocklist sharing. Install the crowdsecurity/linux baseline collection plus collections per app you run (nginx, MySQL, Postfix). The firewall bouncer is the most universal enforcer.
Integration ideas
- Forward decisions to Pi-hole for DNS-level blocking
- Combine with Wazuh for unified visibility
- Push community-flagged IPs to Suricata blocklist
Alternatives
- Fail2ban — Older; no community sharing; simpler.
- Suricata IPS mode — Heavier, more flexible, network-level.
Cyentrix verdict
Effectively a free fail2ban with global threat intel. Install on every internet-facing host.