Single Install

A basic deploy of CrowdSec is fairly straight-forward.

Installation

With Debian, you can simply add the repo via their script and install with a couple lines.

curl -s https://install.crowdsec.net | sudo sh
sudo apt install crowdsec
sudo apt install crowdsec-firewall-bouncer-nftables

This installs all three parts. The detection and coordination part (crowdsec), and the mitigation (crowdsec-firewall-bouncer) part.

The crowdsec binary will check in with the cloud, download a baseline list of known bad-actors, and begin watching the syslog for known patterns (like ssh login failures). The firewall-bouncer will create a nft drop table and keep it up to date with any changes from the hub.

# Check out the very long drop list
sudo nft list ruleset | less

Note - if the CrowdSec tables are empty, you may need to sudo systemctl restart nftables.service or possibly reboot (as I’ve found in testing)

Configuration

CrowdSec comes pre-configured to watch for the basics and seems to do some inspection of your system to add appropriate log monitoring. You can see what’s it monitoring with the command:

sudo cscli collections list

Sometimes, that’s all you need. But take a look at operations for more options.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified May 7, 2026: Reorganised CrowdSec pages (58b8edf)