CrowdSec Security Engine

intermediate

Collaborative security engine with crowdsourced threat intelligence.

Overview

CrowdSec is a modern, open-source Intrusion Detection System (IDS) that revolutionizes network security through collaborative threat intelligence. Born from the need to address evolving cyber threats, CrowdSec operates on a crowdsourced security model where detection signals from the global community are aggregated and shared to identify malicious actors in real-time. Unlike traditional security solutions that work in isolation, CrowdSec creates a collective intelligence network where blocked IPs and attack patterns from one installation protect all users in the ecosystem. This Docker stack combines CrowdSec's security engine with PostgreSQL for metrics storage, Metabase for comprehensive analytics dashboards, and multiple bouncers including Traefik integration and firewall-level protection. The PostgreSQL database serves as the central repository for security events, decision logs, and behavioral analytics, while Metabase transforms this raw security data into actionable insights through customizable dashboards and reporting. This configuration creates a complete security operations center capable of real-time threat detection, automated response, and detailed forensic analysis, making enterprise-grade security accessible to organizations of all sizes.

Key Features

Collaborative threat intelligence with real-time IP reputation updates from the global CrowdSec community
Multi-layer bouncer architecture supporting both Traefik reverse proxy integration and iptables firewall enforcement
PostgreSQL-backed metrics storage with full ACID compliance for reliable security event logging and analysis
Metabase business intelligence integration providing customizable security dashboards and automated reporting
Collection-based detection scenarios for Linux, Nginx, and SSH with extensible parser architecture
RESTful API at port 8080 for programmatic access to decisions, alerts, and community threat intelligence
Behavioral analysis engine distinguishing between legitimate users and malicious actors through machine learning algorithms
Hub ecosystem integration allowing installation of community-contributed parsers, scenarios, and collections

Common Use Cases

1Web application protection with Traefik integration for blocking malicious requests before they reach application servers
2SSH brute force protection for Linux servers with automatic IP blocking and community threat intelligence
3Multi-tenant hosting environments requiring coordinated security across multiple customer applications
4Security operations centers needing centralized threat visibility and automated incident response capabilities
5Compliance environments requiring detailed audit trails and security reporting through Metabase dashboards
6DevOps teams implementing security-first infrastructure with automated threat response and minimal false positives
7Small to medium businesses seeking enterprise-grade security without dedicated security personnel or expensive commercial solutions

Prerequisites

Minimum 2GB RAM recommended for PostgreSQL metrics storage and Metabase analytics processing
Host system with iptables support and NET_ADMIN capabilities for firewall bouncer functionality
Read access to system log files (/var/log) for CrowdSec parsers to analyze SSH, web server, and system events
Available ports 8080 (CrowdSec API), 3000 (Metabase), and 6060 (CrowdSec metrics) for service communication
Basic understanding of firewall rules and network security concepts for bouncer configuration
PostgreSQL administration knowledge for database maintenance and custom metrics schema modifications

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

1services: 
2  crowdsec: 
3    image: crowdsecurity/crowdsec:latest
4    ports: 
5      - "8080:8080"
6      - "6060:6060"
7    environment: 
8      GID: "${GID:-1000}"
9      COLLECTIONS: "crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd"
10      CUSTOM_HOSTNAME: crowdsec
11    volumes: 
12      - crowdsec_config:/etc/crowdsec
13      - crowdsec_data:/var/lib/crowdsec/data
14      - /var/log:/var/log:ro
15    networks: 
16      - crowdsec-net
17    restart: unless-stopped
18
19  crowdsec-bouncer-traefik: 
20    image: fbonalair/traefik-crowdsec-bouncer:latest
21    environment: 
22      CROWDSEC_BOUNCER_API_KEY: ${BOUNCER_API_KEY}
23      CROWDSEC_AGENT_HOST: crowdsec:8080
24      GIN_MODE: release
25    depends_on: 
26      - crowdsec
27    networks: 
28      - crowdsec-net
29    restart: unless-stopped
30
31  crowdsec-bouncer-firewall: 
32    image: crowdsecurity/cs-firewall-bouncer:latest
33    environment: 
34      BACKEND: iptables
35      API_URL: http://crowdsec:8080
36      API_KEY: ${BOUNCER_API_KEY}
37    cap_add: 
38      - NET_ADMIN
39      - NET_RAW
40    network_mode: host
41    depends_on: 
42      - crowdsec
43    restart: unless-stopped
44
45  postgres: 
46    image: postgres:16-alpine
47    environment: 
48      POSTGRES_USER: ${POSTGRES_USER}
49      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
50      POSTGRES_DB: crowdsec_metrics
51    volumes: 
52      - postgres_data:/var/lib/postgresql/data
53    networks: 
54      - crowdsec-net
55    restart: unless-stopped
56
57  metabase: 
58    image: metabase/metabase:latest
59    ports: 
60      - "3000:3000"
61    environment: 
62      MB_DB_TYPE: postgres
63      MB_DB_HOST: postgres
64      MB_DB_PORT: 5432
65      MB_DB_DBNAME: crowdsec_metrics
66      MB_DB_USER: ${POSTGRES_USER}
67      MB_DB_PASS: ${POSTGRES_PASSWORD}
68    depends_on: 
69      - postgres
70    networks: 
71      - crowdsec-net
72    restart: unless-stopped
73
74volumes: 
75  crowdsec_config: 
76  crowdsec_data: 
77  postgres_data: 
78
79networks: 
80  crowdsec-net: 
81    driver: bridge

.env Template

.env

1# CrowdSec Bouncer API Key (generate with: cscli bouncers add my-bouncer)
2BOUNCER_API_KEY=
3
4# PostgreSQL
5POSTGRES_USER=crowdsec
6POSTGRES_PASSWORD=secure_postgres_password

Usage Notes

1CrowdSec API at http://localhost:8080
2Metabase dashboards at http://localhost:3000
3Generate bouncer key: docker compose exec crowdsec cscli bouncers add my-bouncer
4View decisions: docker compose exec crowdsec cscli decisions list

Individual Services(5 services)

Copy individual services to mix and match with your existing compose files.

crowdsec

crowdsec:
  image: crowdsecurity/crowdsec:latest
  ports:
    - "8080:8080"
    - "6060:6060"
  environment:
    GID: ${GID:-1000}
    COLLECTIONS: crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd
    CUSTOM_HOSTNAME: crowdsec
  volumes:
    - crowdsec_config:/etc/crowdsec
    - crowdsec_data:/var/lib/crowdsec/data
    - /var/log:/var/log:ro
  networks:
    - crowdsec-net
  restart: unless-stopped

crowdsec-bouncer-traefik

crowdsec-bouncer-traefik:
  image: fbonalair/traefik-crowdsec-bouncer:latest
  environment:
    CROWDSEC_BOUNCER_API_KEY: ${BOUNCER_API_KEY}
    CROWDSEC_AGENT_HOST: crowdsec:8080
    GIN_MODE: release
  depends_on:
    - crowdsec
  networks:
    - crowdsec-net
  restart: unless-stopped

crowdsec-bouncer-firewall

crowdsec-bouncer-firewall:
  image: crowdsecurity/cs-firewall-bouncer:latest
  environment:
    BACKEND: iptables
    API_URL: http://crowdsec:8080
    API_KEY: ${BOUNCER_API_KEY}
  cap_add:
    - NET_ADMIN
    - NET_RAW
  network_mode: host
  depends_on:
    - crowdsec
  restart: unless-stopped

postgres

postgres:
  image: postgres:16-alpine
  environment:
    POSTGRES_USER: ${POSTGRES_USER}
    POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    POSTGRES_DB: crowdsec_metrics
  volumes:
    - postgres_data:/var/lib/postgresql/data
  networks:
    - crowdsec-net
  restart: unless-stopped

metabase

metabase:
  image: metabase/metabase:latest
  ports:
    - "3000:3000"
  environment:
    MB_DB_TYPE: postgres
    MB_DB_HOST: postgres
    MB_DB_PORT: 5432
    MB_DB_DBNAME: crowdsec_metrics
    MB_DB_USER: ${POSTGRES_USER}
    MB_DB_PASS: ${POSTGRES_PASSWORD}
  depends_on:
    - postgres
  networks:
    - crowdsec-net
  restart: unless-stopped

Quick Start

terminal

1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  crowdsec:
5    image: crowdsecurity/crowdsec:latest
6    ports:
7      - "8080:8080"
8      - "6060:6060"
9    environment:
10      GID: "${GID:-1000}"
11      COLLECTIONS: "crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd"
12      CUSTOM_HOSTNAME: crowdsec
13    volumes:
14      - crowdsec_config:/etc/crowdsec
15      - crowdsec_data:/var/lib/crowdsec/data
16      - /var/log:/var/log:ro
17    networks:
18      - crowdsec-net
19    restart: unless-stopped
20
21  crowdsec-bouncer-traefik:
22    image: fbonalair/traefik-crowdsec-bouncer:latest
23    environment:
24      CROWDSEC_BOUNCER_API_KEY: ${BOUNCER_API_KEY}
25      CROWDSEC_AGENT_HOST: crowdsec:8080
26      GIN_MODE: release
27    depends_on:
28      - crowdsec
29    networks:
30      - crowdsec-net
31    restart: unless-stopped
32
33  crowdsec-bouncer-firewall:
34    image: crowdsecurity/cs-firewall-bouncer:latest
35    environment:
36      BACKEND: iptables
37      API_URL: http://crowdsec:8080
38      API_KEY: ${BOUNCER_API_KEY}
39    cap_add:
40      - NET_ADMIN
41      - NET_RAW
42    network_mode: host
43    depends_on:
44      - crowdsec
45    restart: unless-stopped
46
47  postgres:
48    image: postgres:16-alpine
49    environment:
50      POSTGRES_USER: ${POSTGRES_USER}
51      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
52      POSTGRES_DB: crowdsec_metrics
53    volumes:
54      - postgres_data:/var/lib/postgresql/data
55    networks:
56      - crowdsec-net
57    restart: unless-stopped
58
59  metabase:
60    image: metabase/metabase:latest
61    ports:
62      - "3000:3000"
63    environment:
64      MB_DB_TYPE: postgres
65      MB_DB_HOST: postgres
66      MB_DB_PORT: 5432
67      MB_DB_DBNAME: crowdsec_metrics
68      MB_DB_USER: ${POSTGRES_USER}
69      MB_DB_PASS: ${POSTGRES_PASSWORD}
70    depends_on:
71      - postgres
72    networks:
73      - crowdsec-net
74    restart: unless-stopped
75
76volumes:
77  crowdsec_config:
78  crowdsec_data:
79  postgres_data:
80
81networks:
82  crowdsec-net:
83    driver: bridge
84EOF
85
86# 2. Create the .env file
87cat > .env << 'EOF'
88# CrowdSec Bouncer API Key (generate with: cscli bouncers add my-bouncer)
89BOUNCER_API_KEY=
90
91# PostgreSQL
92POSTGRES_USER=crowdsec
93POSTGRES_PASSWORD=secure_postgres_password
94EOF
95
96# 3. Start the services
97docker compose up -d
98
99# 4. View logs
100docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal

1curl -fsSL https://docker.recipes/api/recipes/crowdsec-firewall/run | bash

Troubleshooting

CrowdSec container fails with 'permission denied' on /var/log: Ensure Docker has read access to host log directories and GID environment variable matches host log group permissions
Firewall bouncer exits with 'operation not permitted': Add NET_ADMIN and NET_RAW capabilities and ensure container runs with sufficient privileges for iptables manipulation
Metabase shows 'database connection failed': Verify PostgreSQL container is fully initialized before Metabase startup and check POSTGRES_USER/POSTGRES_PASSWORD environment variables match
No threat intelligence updates received: Check internet connectivity and ensure CrowdSec can reach api.crowdsec.net for community threat feed synchronization
High memory usage from PostgreSQL: Implement log rotation for CrowdSec metrics tables and consider PostgreSQL memory tuning for large-scale deployments
Traefik bouncer not blocking malicious IPs: Verify BOUNCER_API_KEY matches the key generated via 'cscli bouncers add' command and check bouncer registration status

Community Notes

Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

crowdseccrowdsec-bouncermetabasepostgresql

Related Recipes

Ad Space

Shortcuts: C CopyF FavoriteD Download