CrowdSec + Bouncer + Dashboard
Collaborative security engine with reputation system.
Overview
CrowdSec is a modern, open-source intrusion prevention system that combines behavioral analysis with collaborative threat intelligence. Created in 2019 by Thibault Koechlin and Philippe Humeau, CrowdSec analyzes logs in real-time to detect attack patterns, then shares anonymized threat data with a global community network. Unlike traditional security tools that rely solely on static signatures, CrowdSec uses crowd-sourced intelligence to identify emerging threats and build collective immunity against malicious actors. This stack combines CrowdSec's detection engine with the firewall bouncer for automated IP blocking and Metabase for comprehensive security analytics and reporting. The firewall bouncer acts as the enforcement layer, automatically blocking malicious IPs detected by CrowdSec at the iptables level, while PostgreSQL stores detection data that Metabase transforms into actionable security dashboards. This configuration provides enterprise-grade threat detection and response capabilities with the ability to visualize attack patterns, bouncer effectiveness, and security metrics through Metabase's powerful analytics interface. Organizations seeking proactive security monitoring with automated response capabilities will find this stack particularly valuable. The combination of real-time threat detection, automatic blocking, and comprehensive reporting makes it ideal for security teams who need both operational protection and strategic security insights, while benefiting from CrowdSec's collaborative threat intelligence network.
Key Features
- Real-time log analysis with behavioral detection algorithms for SSH, HTTP, and custom application attacks
- Collaborative threat intelligence sharing with CrowdSec's global community network
- Automatic iptables firewall rule management through the cs-firewall-bouncer integration
- Multiple detection scenarios including brute-force, DDoS, and application-specific attack patterns
- Metabase analytics dashboard with customizable security metrics and attack visualization
- PostgreSQL-backed data persistence for long-term threat analysis and reporting
- Collection-based configuration system supporting Linux, Nginx, SSH, and custom parsers
- API-driven architecture enabling integration with external security tools and SIEM systems
Common Use Cases
- 1Web server protection with automated blocking of brute-force attacks and malicious bot traffic
- 2SSH hardening for Linux servers with real-time detection of credential stuffing attempts
- 3Multi-server security monitoring with centralized threat intelligence and reporting
- 4Compliance reporting with historical attack data and security metrics visualization
- 5DevOps security automation integrating threat detection into CI/CD pipeline monitoring
- 6Small business security operations center with low-maintenance automated threat response
- 7Research and threat hunting using CrowdSec's community intelligence and Metabase analytics
Prerequisites
- Minimum 2GB RAM (1GB for CrowdSec/Metabase, 512MB for PostgreSQL, 512MB for system overhead)
- Docker host with privileged access for firewall bouncer NET_ADMIN and NET_RAW capabilities
- Available ports 3000 (Metabase), 8080 (CrowdSec API), and iptables access for bouncer
- Log file access with readable /var/log directory containing application logs to monitor
- Environment variables BOUNCER_API_KEY, POSTGRES_USER, and POSTGRES_PASSWORD configured
- Basic understanding of iptables rules and firewall management for bouncer troubleshooting
For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms
docker-compose.yml
docker-compose.yml
1services: 2 crowdsec: 3 image: crowdsecurity/crowdsec:latest4 environment: 5 - GID=10006 - COLLECTIONS=crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd7 - CUSTOM_HOSTNAME=crowdsec8 volumes: 9 - crowdsec-data:/var/lib/crowdsec/data10 - crowdsec-config:/etc/crowdsec11 - /var/log:/var/log:ro12 ports: 13 - "8080:8080"14 networks: 15 - crowdsec-network16 restart: unless-stopped1718 bouncer-firewall: 19 image: crowdsecurity/cs-firewall-bouncer:latest20 environment: 21 - CROWDSEC_AGENT_HOST=crowdsec:808022 - CROWDSEC_BOUNCER_API_KEY=${BOUNCER_API_KEY}23 cap_add: 24 - NET_ADMIN25 - NET_RAW26 network_mode: host27 depends_on: 28 - crowdsec29 restart: unless-stopped3031 dashboard: 32 image: metabase/metabase:latest33 environment: 34 - MB_DB_TYPE=postgres35 - MB_DB_HOST=postgres36 - MB_DB_PORT=543237 - MB_DB_DBNAME=metabase38 - MB_DB_USER=${POSTGRES_USER}39 - MB_DB_PASS=${POSTGRES_PASSWORD}40 volumes: 41 - metabase-data:/metabase-data42 ports: 43 - "3000:3000"44 depends_on: 45 - postgres46 networks: 47 - crowdsec-network48 restart: unless-stopped4950 postgres: 51 image: postgres:1552 environment: 53 - POSTGRES_USER=${POSTGRES_USER}54 - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}55 - POSTGRES_DB=metabase56 volumes: 57 - postgres-data:/var/lib/postgresql/data58 networks: 59 - crowdsec-network60 restart: unless-stopped6162volumes: 63 crowdsec-data: 64 crowdsec-config: 65 metabase-data: 66 postgres-data: 6768networks: 69 crowdsec-network: 70 driver: bridge.env Template
.env
1# CrowdSec2POSTGRES_USER=metabase3POSTGRES_PASSWORD=secure_postgres_password45# Generate bouncer API key:6# docker exec crowdsec cscli bouncers add firewall-bouncer7BOUNCER_API_KEY=your_bouncer_api_keyUsage Notes
- 1API at http://localhost:8080
- 2Dashboard at http://localhost:3000
- 3Generate bouncer key first
- 4Community blocklists
- 5Multiple bouncer types available
Individual Services(4 services)
Copy individual services to mix and match with your existing compose files.
crowdsec
crowdsec:
image: crowdsecurity/crowdsec:latest
environment:
- GID=1000
- COLLECTIONS=crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd
- CUSTOM_HOSTNAME=crowdsec
volumes:
- crowdsec-data:/var/lib/crowdsec/data
- crowdsec-config:/etc/crowdsec
- /var/log:/var/log:ro
ports:
- "8080:8080"
networks:
- crowdsec-network
restart: unless-stopped
bouncer-firewall
bouncer-firewall:
image: crowdsecurity/cs-firewall-bouncer:latest
environment:
- CROWDSEC_AGENT_HOST=crowdsec:8080
- CROWDSEC_BOUNCER_API_KEY=${BOUNCER_API_KEY}
cap_add:
- NET_ADMIN
- NET_RAW
network_mode: host
depends_on:
- crowdsec
restart: unless-stopped
dashboard
dashboard:
image: metabase/metabase:latest
environment:
- MB_DB_TYPE=postgres
- MB_DB_HOST=postgres
- MB_DB_PORT=5432
- MB_DB_DBNAME=metabase
- MB_DB_USER=${POSTGRES_USER}
- MB_DB_PASS=${POSTGRES_PASSWORD}
volumes:
- metabase-data:/metabase-data
ports:
- "3000:3000"
depends_on:
- postgres
networks:
- crowdsec-network
restart: unless-stopped
postgres
postgres:
image: postgres:15
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_DB=metabase
volumes:
- postgres-data:/var/lib/postgresql/data
networks:
- crowdsec-network
restart: unless-stopped
Quick Start
terminal
1# 1. Create the compose file2cat > docker-compose.yml << 'EOF'3services:4 crowdsec:5 image: crowdsecurity/crowdsec:latest6 environment:7 - GID=10008 - COLLECTIONS=crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd9 - CUSTOM_HOSTNAME=crowdsec10 volumes:11 - crowdsec-data:/var/lib/crowdsec/data12 - crowdsec-config:/etc/crowdsec13 - /var/log:/var/log:ro14 ports:15 - "8080:8080"16 networks:17 - crowdsec-network18 restart: unless-stopped1920 bouncer-firewall:21 image: crowdsecurity/cs-firewall-bouncer:latest22 environment:23 - CROWDSEC_AGENT_HOST=crowdsec:808024 - CROWDSEC_BOUNCER_API_KEY=${BOUNCER_API_KEY}25 cap_add:26 - NET_ADMIN27 - NET_RAW28 network_mode: host29 depends_on:30 - crowdsec31 restart: unless-stopped3233 dashboard:34 image: metabase/metabase:latest35 environment:36 - MB_DB_TYPE=postgres37 - MB_DB_HOST=postgres38 - MB_DB_PORT=543239 - MB_DB_DBNAME=metabase40 - MB_DB_USER=${POSTGRES_USER}41 - MB_DB_PASS=${POSTGRES_PASSWORD}42 volumes:43 - metabase-data:/metabase-data44 ports:45 - "3000:3000"46 depends_on:47 - postgres48 networks:49 - crowdsec-network50 restart: unless-stopped5152 postgres:53 image: postgres:1554 environment:55 - POSTGRES_USER=${POSTGRES_USER}56 - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}57 - POSTGRES_DB=metabase58 volumes:59 - postgres-data:/var/lib/postgresql/data60 networks:61 - crowdsec-network62 restart: unless-stopped6364volumes:65 crowdsec-data:66 crowdsec-config:67 metabase-data:68 postgres-data:6970networks:71 crowdsec-network:72 driver: bridge73EOF7475# 2. Create the .env file76cat > .env << 'EOF'77# CrowdSec78POSTGRES_USER=metabase79POSTGRES_PASSWORD=secure_postgres_password8081# Generate bouncer API key:82# docker exec crowdsec cscli bouncers add firewall-bouncer83BOUNCER_API_KEY=your_bouncer_api_key84EOF8586# 3. Start the services87docker compose up -d8889# 4. View logs90docker compose logs -fOne-Liner
Run this command to download and set up the recipe in one step:
terminal
1curl -fsSL https://docker.recipes/api/recipes/crowdsec-complete/run | bashTroubleshooting
- CrowdSec API returning 403 errors: Generate bouncer API key using 'docker exec crowdsec cscli bouncers add firewall-bouncer'
- Firewall bouncer not blocking IPs: Verify container has NET_ADMIN capabilities and host network mode access to iptables
- Metabase connection refused on startup: Check PostgreSQL container health and ensure POSTGRES_USER/PASSWORD environment variables match
- CrowdSec not detecting attacks: Verify log file permissions and that /var/log mount contains readable application logs
- Dashboard showing no data: Confirm CrowdSec collections are installed and parsers are processing logs successfully
- High memory usage in CrowdSec: Reduce log retention period and limit active collections to required services only
Community Notes
Loading...
Loading notes...
Download Recipe Kit
Get all files in a ready-to-deploy package
Includes docker-compose.yml, .env template, README, and license
Components
crowdseccrowdsec-bouncermetabasepostgresql
Tags
#crowdsec#security#firewall#reputation#collaborative
Category
Security & NetworkingAd Space
Shortcuts: C CopyF FavoriteD Download