docker.recipes

CrowdSec Security Engine

intermediate

CrowdSec behavior detection engine with community-driven IP blocklists.

Overview

CrowdSec is a modern, open-source security engine that detects aggressive behaviors and protects against attacks through collaborative intelligence. Born from the need for a more effective alternative to traditional fail2ban solutions, CrowdSec analyzes log files in real-time using behavioral detection patterns and shares threat intelligence with a global community of users. Unlike signature-based systems, CrowdSec focuses on behavioral analysis to identify malicious activities such as brute force attacks, web scraping, and DDoS attempts. This Docker stack combines the CrowdSec security engine with a Metabase dashboard to provide comprehensive threat detection and visualization capabilities. CrowdSec processes system logs and applies collections of parsers and scenarios to detect suspicious behaviors, while automatically sharing anonymized attack signatures with the community blocklist. The Metabase dashboard connects to CrowdSec's database to provide rich visualizations of detected threats, attack patterns, and security metrics, making it easier to understand your security posture. This configuration is ideal for system administrators managing web servers, security engineers implementing defense-in-depth strategies, and organizations wanting to participate in collaborative threat intelligence. The combination of real-time behavioral detection with community-driven IP reputation makes this stack particularly valuable for environments facing automated attacks, while the dashboard component enables data-driven security decisions and compliance reporting.

Key Features

  • Real-time behavioral analysis using crowdsecurity/linux and crowdsecurity/nginx collections for comprehensive threat detection
  • Community-driven IP blocklist sharing with automatic contribution of anonymized attack signatures to global threat intelligence
  • Metabase-powered security dashboard with customizable visualizations of attack patterns, geographic threat distribution, and temporal analysis
  • SQLite-based local threat database with persistent storage for historical attack data and pattern analysis
  • Multi-scenario detection engine supporting brute force, web scraping, port scanning, and application-layer attack identification
  • RESTful API interface for integration with external security tools, SIEM systems, and custom automation workflows
  • Bouncer architecture enabling protection deployment across multiple services including firewalls, load balancers, and web servers
  • Log file monitoring with read-only access to system logs for non-intrusive security analysis

Common Use Cases

  • 1Web server protection against brute force attacks on SSH, HTTP authentication, and application login endpoints
  • 2E-commerce platform security monitoring to detect credential stuffing, card testing, and automated fraud attempts
  • 3Multi-tenant hosting environment protection with shared threat intelligence across customer deployments
  • 4Development team security operations providing visual attack analysis and security metrics for sprint reviews
  • 5Compliance reporting for SOC2, PCI-DSS, or ISO27001 requirements using dashboard analytics and historical attack data
  • 6Small business security enhancement replacing traditional fail2ban with community intelligence and modern visualization
  • 7Homelab and self-hosted service protection with minimal configuration overhead and professional-grade threat detection

Prerequisites

  • Docker host with minimum 2GB RAM for Metabase dashboard operation and CrowdSec processing
  • Access to system log files in /var/log directory with appropriate read permissions for container mounting
  • Available ports 8080 and 3000 for CrowdSec API and Metabase dashboard access respectively
  • Basic understanding of log analysis, IP blocking concepts, and security monitoring principles
  • Network connectivity to CrowdSec community API for blocklist updates and threat intelligence sharing
  • Sufficient disk space for persistent volumes storing threat databases, configuration files, and dashboard metadata

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  crowdsec: 
3    image: crowdsecurity/crowdsec:latest
4    container_name: crowdsec
5    environment: 
6      - GID=1000
7      - COLLECTIONS=crowdsecurity/linux crowdsecurity/nginx
8    volumes: 
9      - crowdsec_db:/var/lib/crowdsec/data
10      - crowdsec_config:/etc/crowdsec
11      - /var/log:/var/log:ro
12    ports: 
13      - "8080:8080"
14    restart: unless-stopped
15    networks: 
16      - crowdsec-network
17
18  dashboard: 
19    image: metabase/metabase:latest
20    container_name: crowdsec-dashboard
21    environment: 
22      - MB_DB_TYPE=sqlite
23    volumes: 
24      - metabase_data:/metabase-data
25    ports: 
26      - "3000:3000"
27    depends_on: 
28      - crowdsec
29    networks: 
30      - crowdsec-network
31
32volumes: 
33  crowdsec_db: 
34  crowdsec_config: 
35  metabase_data: 
36
37networks: 
38  crowdsec-network: 
39    driver: bridge

.env Template

.env
1# CrowdSec
2# Add collections as needed

Usage Notes

  1. 1CrowdSec API at http://localhost:8080
  2. 2Dashboard at http://localhost:3000
  3. 3Install bouncers on services
  4. 4Register at app.crowdsec.net
  5. 5Share blocklists with community

Individual Services(2 services)

Copy individual services to mix and match with your existing compose files.

crowdsec
crowdsec:
  image: crowdsecurity/crowdsec:latest
  container_name: crowdsec
  environment:
    - GID=1000
    - COLLECTIONS=crowdsecurity/linux crowdsecurity/nginx
  volumes:
    - crowdsec_db:/var/lib/crowdsec/data
    - crowdsec_config:/etc/crowdsec
    - /var/log:/var/log:ro
  ports:
    - "8080:8080"
  restart: unless-stopped
  networks:
    - crowdsec-network
dashboard
dashboard:
  image: metabase/metabase:latest
  container_name: crowdsec-dashboard
  environment:
    - MB_DB_TYPE=sqlite
  volumes:
    - metabase_data:/metabase-data
  ports:
    - "3000:3000"
  depends_on:
    - crowdsec
  networks:
    - crowdsec-network

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  crowdsec:
5    image: crowdsecurity/crowdsec:latest
6    container_name: crowdsec
7    environment:
8      - GID=1000
9      - COLLECTIONS=crowdsecurity/linux crowdsecurity/nginx
10    volumes:
11      - crowdsec_db:/var/lib/crowdsec/data
12      - crowdsec_config:/etc/crowdsec
13      - /var/log:/var/log:ro
14    ports:
15      - "8080:8080"
16    restart: unless-stopped
17    networks:
18      - crowdsec-network
19
20  dashboard:
21    image: metabase/metabase:latest
22    container_name: crowdsec-dashboard
23    environment:
24      - MB_DB_TYPE=sqlite
25    volumes:
26      - metabase_data:/metabase-data
27    ports:
28      - "3000:3000"
29    depends_on:
30      - crowdsec
31    networks:
32      - crowdsec-network
33
34volumes:
35  crowdsec_db:
36  crowdsec_config:
37  metabase_data:
38
39networks:
40  crowdsec-network:
41    driver: bridge
42EOF
43
44# 2. Create the .env file
45cat > .env << 'EOF'
46# CrowdSec
47# Add collections as needed
48EOF
49
50# 3. Start the services
51docker compose up -d
52
53# 4. View logs
54docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/crowdsec-security/run | bash

Troubleshooting

  • CrowdSec container exits with permission errors: Ensure /var/log directory has proper read permissions and GID=1000 matches host user group
  • No threats detected despite obvious attacks: Verify log file paths in collections match actual system log locations and formats
  • Metabase dashboard shows no data: Check CrowdSec database initialization by examining container logs and ensure services start in correct order
  • API connection refused on port 8080: Confirm firewall rules allow traffic and CrowdSec service has fully initialized before bouncer connections
  • Community blocklist updates failing: Verify outbound internet connectivity and register at app.crowdsec.net for API authentication
  • High memory usage in Metabase container: Increase Docker host memory allocation or configure Metabase JVM heap settings for large datasets

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

crowdseccrowdsec-dashboard

Tags

#crowdsec#security#ids#firewall#threat-detection

Category

Security & Networking

Related Recipes

Ad Space