docker.recipes

CrowdSec Security Engine

intermediate

CrowdSec collaborative security with dashboard.

Overview

CrowdSec is a modern, collaborative security engine that functions as both an intrusion detection system (IDS) and intrusion prevention system (IPS). Born from the need to democratize cybersecurity, CrowdSec operates on a community-driven model where threat intelligence is shared across all participants, creating a collective defense network. Unlike traditional security solutions that rely solely on signature-based detection, CrowdSec uses behavioral analysis and machine learning to identify malicious patterns, then shares these discoveries with the entire community in real-time. This Docker stack combines the core CrowdSec security engine with a Traefik bouncer and Metabase dashboard to create a comprehensive security monitoring and response system. The CrowdSec engine analyzes log files and network traffic to detect threats, while the bouncer component actively blocks malicious IP addresses at the reverse proxy level. The Metabase dashboard provides rich visualization of security events, attack patterns, and community threat intelligence, enabling administrators to understand their security posture at a glance. This configuration is ideal for organizations running web applications behind Traefik, security-conscious homelab enthusiasts, and development teams who need enterprise-grade security without the complexity of traditional SIEM solutions. The community aspect means smaller organizations benefit from threat intelligence typically available only to large enterprises, while the lightweight architecture makes it suitable for resource-constrained environments.

Key Features

  • Real-time behavioral analysis engine that detects attack patterns without relying on static signatures
  • Community threat intelligence sharing with automatic IP reputation updates from global CrowdSec network
  • Traefik-specific bouncer integration for automatic IP blocking at the reverse proxy layer
  • Pre-configured collection parsers for Linux system logs and Nginx access patterns
  • Metabase-powered analytics dashboard with pre-built security visualization templates
  • CSCLI command-line interface for manual threat management and bouncer key generation
  • Automatic scenario detection for common attacks including brute force, DDoS, and web application exploits
  • Multi-log source ingestion supporting syslog, application logs, and custom log formats

Common Use Cases

  • 1Web application security for e-commerce sites and SaaS platforms running behind Traefik
  • 2Homelab security monitoring for self-hosted services and personal cloud infrastructure
  • 3Small to medium business perimeter defense without dedicated security operations center
  • 4Development environment protection during application testing and staging phases
  • 5Multi-tenant hosting providers seeking automated threat response across customer deployments
  • 6Educational institutions monitoring student-accessible services and research infrastructure
  • 7Remote work VPN exit points requiring behavioral analysis of user access patterns

Prerequisites

  • Docker Engine 20.10+ and Docker Compose v2 for advanced networking and volume management features
  • Minimum 2GB RAM and 2 CPU cores for Metabase dashboard and CrowdSec analysis engine
  • Available ports 8080 (CrowdSec API) and 3000 (dashboard) not conflicting with existing services
  • Read access to system log directories (/var/log) for security event analysis
  • Basic understanding of reverse proxy concepts and Traefik configuration for bouncer integration
  • Network connectivity for CrowdSec community intelligence updates and scenario downloads

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  crowdsec: 
3    image: crowdsecurity/crowdsec:latest
4    container_name: crowdsec
5    restart: unless-stopped
6    ports: 
7      - "${CS_API_PORT:-8080}:8080"
8    environment: 
9      - COLLECTIONS=crowdsecurity/linux crowdsecurity/nginx
10    volumes: 
11      - crowdsec_config:/etc/crowdsec
12      - crowdsec_data:/var/lib/crowdsec/data
13      - /var/log:/var/log:ro
14
15  bouncer-traefik: 
16    image: fbonalair/traefik-crowdsec-bouncer:latest
17    container_name: crowdsec-bouncer
18    restart: unless-stopped
19    environment: 
20      - CROWDSEC_BOUNCER_API_KEY=${BOUNCER_KEY}
21      - CROWDSEC_AGENT_HOST=crowdsec:8080
22    depends_on: 
23      - crowdsec
24
25  dashboard: 
26    image: crowdsecurity/metabase:latest
27    container_name: crowdsec-dashboard
28    restart: unless-stopped
29    ports: 
30      - "${DASHBOARD_PORT:-3000}:3000"
31    volumes: 
32      - dashboard_data:/metabase-data
33      - crowdsec_data:/var/lib/crowdsec/data:ro
34    depends_on: 
35      - crowdsec
36
37volumes: 
38  crowdsec_config: 
39  crowdsec_data: 
40  dashboard_data:

.env Template

.env
1# CrowdSec
2CS_API_PORT=8080
3BOUNCER_KEY=your_bouncer_api_key
4DASHBOARD_PORT=3000

Usage Notes

  1. 1CrowdSec API at http://localhost:8080
  2. 2Dashboard at http://localhost:3000
  3. 3Generate bouncer key via cscli
  4. 4Join CrowdSec community

Individual Services(3 services)

Copy individual services to mix and match with your existing compose files.

crowdsec
crowdsec:
  image: crowdsecurity/crowdsec:latest
  container_name: crowdsec
  restart: unless-stopped
  ports:
    - ${CS_API_PORT:-8080}:8080
  environment:
    - COLLECTIONS=crowdsecurity/linux crowdsecurity/nginx
  volumes:
    - crowdsec_config:/etc/crowdsec
    - crowdsec_data:/var/lib/crowdsec/data
    - /var/log:/var/log:ro
bouncer-traefik
bouncer-traefik:
  image: fbonalair/traefik-crowdsec-bouncer:latest
  container_name: crowdsec-bouncer
  restart: unless-stopped
  environment:
    - CROWDSEC_BOUNCER_API_KEY=${BOUNCER_KEY}
    - CROWDSEC_AGENT_HOST=crowdsec:8080
  depends_on:
    - crowdsec
dashboard
dashboard:
  image: crowdsecurity/metabase:latest
  container_name: crowdsec-dashboard
  restart: unless-stopped
  ports:
    - ${DASHBOARD_PORT:-3000}:3000
  volumes:
    - dashboard_data:/metabase-data
    - crowdsec_data:/var/lib/crowdsec/data:ro
  depends_on:
    - crowdsec

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  crowdsec:
5    image: crowdsecurity/crowdsec:latest
6    container_name: crowdsec
7    restart: unless-stopped
8    ports:
9      - "${CS_API_PORT:-8080}:8080"
10    environment:
11      - COLLECTIONS=crowdsecurity/linux crowdsecurity/nginx
12    volumes:
13      - crowdsec_config:/etc/crowdsec
14      - crowdsec_data:/var/lib/crowdsec/data
15      - /var/log:/var/log:ro
16
17  bouncer-traefik:
18    image: fbonalair/traefik-crowdsec-bouncer:latest
19    container_name: crowdsec-bouncer
20    restart: unless-stopped
21    environment:
22      - CROWDSEC_BOUNCER_API_KEY=${BOUNCER_KEY}
23      - CROWDSEC_AGENT_HOST=crowdsec:8080
24    depends_on:
25      - crowdsec
26
27  dashboard:
28    image: crowdsecurity/metabase:latest
29    container_name: crowdsec-dashboard
30    restart: unless-stopped
31    ports:
32      - "${DASHBOARD_PORT:-3000}:3000"
33    volumes:
34      - dashboard_data:/metabase-data
35      - crowdsec_data:/var/lib/crowdsec/data:ro
36    depends_on:
37      - crowdsec
38
39volumes:
40  crowdsec_config:
41  crowdsec_data:
42  dashboard_data:
43EOF
44
45# 2. Create the .env file
46cat > .env << 'EOF'
47# CrowdSec
48CS_API_PORT=8080
49BOUNCER_KEY=your_bouncer_api_key
50DASHBOARD_PORT=3000
51EOF
52
53# 3. Start the services
54docker compose up -d
55
56# 4. View logs
57docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/crowdsec-security-stack/run | bash

Troubleshooting

  • Dashboard shows 'No data available': Verify crowdsec_data volume is properly mounted read-only to dashboard container and CrowdSec has processed log events
  • Bouncer not blocking IPs: Generate new API key using 'docker exec crowdsec cscli bouncers add traefik-bouncer' and update BOUNCER_KEY environment variable
  • CrowdSec failing to parse logs: Check that log file permissions allow container access and verify collection parsers match your log format using 'cscli parsers list'
  • High memory usage on dashboard: Increase container memory limits for Metabase or reduce data retention period in CrowdSec configuration
  • Community intelligence not updating: Ensure container has internet access and check CrowdSec Central API connectivity with 'cscli capi status'
  • Collections not loading: Manually install required collections using 'docker exec crowdsec cscli collections install crowdsecurity/nginx' for missing parsers

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

crowdsecbouncerdashboard

Tags

#crowdsec#security#firewall#ids

Category

Security & Networking

Related Recipes

Ad Space