docker.recipes

CrowdSec

intermediate

Collaborative behavior detection and threat intelligence.

Overview

CrowdSec is an open-source collaborative security engine that analyzes logs and behaviors to detect suspicious activities, then shares threat intelligence across a community network of users. Unlike traditional intrusion detection systems, CrowdSec operates on a crowdsourced model where detected attack patterns are shared anonymously with the global community, creating a collective defense mechanism. The platform uses behavioral analysis and machine learning to identify threats in real-time, making decisions about whether to block, challenge, or allow traffic based on reputation scores and attack signatures. This Docker stack combines the CrowdSec security engine with configurable bouncers that act as enforcement points for security decisions. CrowdSec analyzes system logs from various sources including web servers, SSH daemons, and application logs to detect attack patterns like brute force attempts, vulnerability scans, and bot traffic. When threats are identified, bouncers receive real-time decisions through CrowdSec's local API and automatically implement protective measures such as IP blocking, rate limiting, or CAPTCHA challenges at the application or infrastructure level. This configuration is ideal for system administrators managing web applications, security teams implementing layered defense strategies, and DevOps engineers seeking automated threat response. The collaborative intelligence aspect means your infrastructure benefits from attack patterns detected globally, while your local detections contribute to protecting the broader community. CrowdSec's scenario-based detection system allows for fine-tuned security policies that adapt to your specific application stack and threat landscape.

Key Features

  • Collaborative threat intelligence sharing with global CrowdSec community network
  • Real-time behavioral analysis engine processing multiple log sources simultaneously
  • Scenario-based detection system with pre-built collections for nginx, SSH, and Linux systems
  • Local API server on port 8080 providing security decisions to bouncer components
  • Multi-tier decision system supporting ban, captcha, and rate limiting responses
  • Automatic parsing and normalization of log formats from different services
  • Community-maintained detection scenarios with regular updates for emerging threats
  • Console integration for centralized management and threat intelligence visualization

Common Use Cases

  • 1Web application protection against brute force attacks and vulnerability scanning
  • 2SSH server hardening with automated blocking of credential stuffing attempts
  • 3Multi-service log analysis for comprehensive security monitoring across Docker environments
  • 4API endpoint protection with intelligent rate limiting based on behavioral patterns
  • 5WordPress and CMS security enhancement through collaborative threat detection
  • 6Network perimeter defense for small to medium-sized infrastructure deployments
  • 7Security orchestration for development teams requiring automated incident response

Prerequisites

  • Docker host with access to system log directories (/var/log mounted as read-only)
  • Minimum 512MB RAM allocation for CrowdSec behavioral analysis engine
  • Port 8080 available for CrowdSec API communication with bouncers
  • Understanding of log file locations for services you want to monitor
  • Basic knowledge of security concepts like IP blocking and rate limiting
  • Network connectivity for downloading threat intelligence updates and scenario collections

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  crowdsec: 
3    image: crowdsecurity/crowdsec:latest
4    container_name: crowdsec
5    restart: unless-stopped
6    environment: 
7      COLLECTIONS: "crowdsecurity/linux crowdsecurity/nginx"
8      GID: "${GID-1000}"
9    volumes: 
10      - crowdsec_config:/etc/crowdsec
11      - crowdsec_data:/var/lib/crowdsec/data
12      - /var/log:/var/log:ro
13    ports: 
14      - "8080:8080"
15
16volumes: 
17  crowdsec_config: 
18  crowdsec_data:

.env Template

.env
1GID=1000

Usage Notes

  1. 1Docs: https://docs.crowdsec.net/
  2. 2API on port 8080 - used by bouncers for decisions
  3. 3Install bouncers: docker exec crowdsec cscli bouncers add myapp
  4. 4View alerts: docker exec crowdsec cscli alerts list
  5. 5Register at https://app.crowdsec.net for console and shared blocklists
  6. 6Collections auto-install detection scenarios for each service

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  crowdsec:
5    image: crowdsecurity/crowdsec:latest
6    container_name: crowdsec
7    restart: unless-stopped
8    environment:
9      COLLECTIONS: "crowdsecurity/linux crowdsecurity/nginx"
10      GID: "${GID-1000}"
11    volumes:
12      - crowdsec_config:/etc/crowdsec
13      - crowdsec_data:/var/lib/crowdsec/data
14      - /var/log:/var/log:ro
15    ports:
16      - "8080:8080"
17
18volumes:
19  crowdsec_config:
20  crowdsec_data:
21EOF
22
23# 2. Create the .env file
24cat > .env << 'EOF'
25GID=1000
26EOF
27
28# 3. Start the services
29docker compose up -d
30
31# 4. View logs
32docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/crowdsec/run | bash

Troubleshooting

  • CrowdSec fails to start with permission errors: Ensure GID environment variable matches Docker host user group and log directories have proper read permissions
  • No alerts generated despite suspicious activity: Verify log file paths are correctly mounted and check if appropriate collections are installed for your services
  • Bouncer cannot connect to CrowdSec API: Confirm port 8080 is accessible and bouncer is properly registered using 'cscli bouncers add' command
  • Collections fail to install automatically: Check internet connectivity and manually install using 'docker exec crowdsec cscli collections install collection-name'
  • High memory usage during log processing: Adjust log rotation policies and consider filtering verbose log entries before mounting to CrowdSec container
  • Console registration fails: Verify network connectivity to app.crowdsec.net and ensure firewall allows outbound HTTPS connections

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

crowdsecbouncer

Tags

#crowdsec#security#intrusion-detection#collaborative

Category

Security & Networking

Related Recipes

Ad Space