📚 Documentation: https://doc.crowdsec.net/
💠 Configuration Hub: https://hub.crowdsec.net/
💬 Discourse (Forum): https://discourse.crowdsec.net/
💬 Gitter (Live chat): https://gitter.im/crowdsec-project/
CrowdSec is an open-source (MIT license) and collaborative security solution designed to protect Linux servers, services, containers, or virtual machines exposed on the internet with a server-side agent. It was inspired by Fail2Ban and aims to be a modernized, collaborative version of that intrusion-prevention tool.
The goal is to leverage the crowd power to create a real-time IP reputation database. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner you feel appropriate. Ultimately, CrowdSec leverages the power of the crowd to create an extremely accurate IP reputation system that benefits all its users.
CrowdSec alternatives and similar tools
Based on the "Security" category.
Alternatively, view crowdsec alternatives based on common mentions on social networks and blogs.
9.2 9.2 L2 CrowdSec VS OSQuerySQL powered operating system instrumentation, monitoring, and analytics.
8.3 8.8 CrowdSec VS lynisLynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
8.0 8.4 L2 CrowdSec VS Fail2BanDaemon to ban hosts that cause multiple authentication errors
7.4 4.0 L2 CrowdSec VS OSSECOSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
3.0 9.9 L3 CrowdSec VS SpamAssassinRead-only mirror of Apache SpamAssassin. Submit patches to https://bz.apache.org/SpamAssassin/. Do not send pull requests
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of CrowdSec or a related project?
:books: Documentation :diamond_shape_with_a_dot_inside: Configuration Hub :speech_balloon: Discourse (Forum) :speech_balloon: Gitter (Live chat)
:dancer: This is a community driven project, we need your feedback.
CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read bellow for more.
2 mins install
Installing it through the Package system of your OS is the easiest way to proceed. Otherwise, you can install it from source.
From package (Debian)
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash sudo apt-get update sudo apt-get install crowdsec
From package (rhel/centos/amazon linux)
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash yum install crowdsec
From package (FreeBSD)
sudo pkg update sudo pkg install crowdsec
wget https://github.com/crowdsecurity/crowdsec/releases/latest/download/crowdsec-release.tgz tar xzvf crowdsec-release.tgz cd crowdsec-v* && sudo ./wizard.sh -i
:information_source: About the CrowdSec project
Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain.
The architecture is as follows :
Once an unwanted behavior is detected, deal with it through a bouncer. The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.
Outnumbering hackers all together
By sharing the threat they faced, all users are protecting each-others (hence the name Crowd-Security). Crowdsec is designed for modern infrastructures, with its "Detect Here, Remedy There" approach, letting you analyse logs coming from several sources in one place and block threats at various levels (applicative, system, infrastructural) of your stack.
CrowdSec ships by default with scenarios (brute force, port scan, web scan, etc.) adapted for most context, but you can easily extend it by picking more of them from the HUB. It is also easy to adapt an existing one or create one yourself.
:point_right: What it is not
CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten.
Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, rule out false positives or poisoning attempts.
:arrow_down: Install it !
Crowdsec is available for various platforms :
- Use our debian repositories or the official debian packages
- An image is available for docker
- Prebuilt release packages are also available (suitable for
- You can as well build it from source
Or look directly at installation documentation for other methods and platforms.
:tada: Key benefits
Fast assisted installation, no technical barrier
Initial configuration is automated, providing functional out-of-the-box setup
Out of the box detection
Baseline detection is effective out-of-the-box, no fine-tuning required (click to expand)
Easy bouncer deployment
It's trivial to add bouncers to enforce decisions of crowdsec (click to expand)
Easy dashboard access
It's easy to deploy a metabase interface to view your data simply with cscli (click to expand)
Hot & Cold logs
Process cold logs, for forensic, tests and chasing false-positives & false negatives (click to expand)
📦 About this repository
This repository contains the code for the two main components of crowdsec :
crowdsec: the daemon a-la-fail2ban that can read, parse, enrich and apply heuristics to logs. This is the component in charge of "detecting" the attacks
cscli: the cli tool mainly used to interact with crowdsec : ban/unban/view current bans, enable/disable parsers and scenarios.
If you wish to contribute to the core of crowdsec, you are welcome to open a PR in this repository.
If you wish to add a new parser, scenario or collection, please open a PR in the hub repository.
If you wish to contribute to the documentation, please open a PR in the documentation repository.
*Note that all licence references and agreements mentioned in the CrowdSec README section above are relevant to that project's source code only.