In this tutorial, we'll learn how to install and configure CrowdSec on AlmaLinux 10 server.
What is CrowdSec?
CrowdSec is an open-source, collaborative security solution designed to protect servers, applications, and cloud infrastructure from malicious traffic. It analyzes system and application logs in real time to detect attacks such as brute force attempts, port scans, web exploits, and bot-driven intrusions. Once a threat is identified, CrowdSec takes action through bouncers to block or challenge the attacker at the firewall, web server, or load balancer level.
Prerequisites
Before we begin, ensure we have the following:
- An AlmaLinux 10 on dedicated server or KVM VPS.
- Basic Linux Command Line Knowledge.
Install and Configure CrowdSec on AlmaLinux 10
Step 1: Update the System
Before installing any new package, it’s always wise to ensure our system is updated. This ensures compatibility and security.
sudo dnf update -y
sudo dnf install -y yum-utils
Step 2: Add the CrowdSec Repository
CrowdSec is not included in AlmaLinux’s default repositories. We need to add the official CrowdSec repository first.
sudo vi /etc/yum.repos.d/crowdsec_crowdsec.repo
Add following content:
[crowdsec_crowdsec]
name=crowdsec_crowdsec
baseurl=https://packagecloud.io/crowdsec/crowdsec/el/6/$basearch
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=https://packagecloud.io/crowdsec/crowdsec/gpgkey
https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-EDE2C695EC9A5A5C.pub.gpg
https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-C822EDD6B39954A1.pub.gpg
https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-FED78314A2468CCF.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
[crowdsec_crowdsec-source]
name=crowdsec_crowdsec-source
baseurl=https://packagecloud.io/crowdsec/crowdsec/el/6/SRPMS
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=https://packagecloud.io/crowdsec/crowdsec/gpgkey
https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-EDE2C695EC9A5A5C.pub.gpg
https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-C822EDD6B39954A1.pub.gpg
https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-FED78314A2468CCF.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
Step 3: Install CrowdSec
Once the repository is ready, install CrowdSec using the package manager.
sudo dnf install crowdsec -y
After installation, CrowdSec will automatically start and begin monitoring system logs.
Check its status to confirm it’s running properly:
sudo systemctl status crowdsec
If it’s inactive, enable and start it:
sudo systemctl enable --now crowdsec
Step 4: Install the CrowdSec Firewall Bouncer
The CrowdSec agent detects suspicious behavior, but we also need a “bouncer” to actively block malicious IPs. The firewall bouncer integrates with our system firewall (firewalld or nftables).
Install the firewall bouncer:
sudo dnf install crowdsec-firewall-bouncer-nftables -y
If we are using firewalld instead of nftables, we can install the respective version:
sudo dnf install crowdsec-firewall-bouncer-firewalld -y
Enable and start the bouncer service:
sudo systemctl enable --now crowdsec-firewall-bouncer
List bouncer:
sudo cscli bouncers list
Step 5: Verify Installation
Once both services are running, check if they are communicating properly.
sudo cscli metrics
This command shows the health of the agent, bouncer, and any active scenarios.
We can also check active bans with:
sudo cscli decisions list
If everything is configured properly, CrowdSec will automatically ban any IPs showing suspicious activity, such as repeated SSH login failures or web attacks.
Step 6: Add Additional Parsers or Collections
CrowdSec uses “collections” to handle different log sources and services. For example, to protect SSH and web services, we can install these collections:
sudo cscli collections install crowdsecurity/sshd
sudo cscli collections install crowdsecurity/nginx
sudo cscli collections install crowdsecurity/http-cve
Restart CrowdSec after adding new collections:
sudo systemctl restart crowdsec
By default on Ubuntu, CrowdSec reads system logs via journald and common log files. We check metrics to confirm parsers and scenarios are working.
sudo cscli metrics
Step 7: Register with CrowdSec Console (Optional but Recommended)
Registering with the CrowdSec Console allows us to manage multiple instances and visualize attack data through a web dashboard.
Visit https://app.crowdsec.net
and create an account.
Then, link our local instance:
sudo cscli console enroll
Follow the link displayed in the terminal to complete the registration.
Step 8: Monitor and Manage
CrowdSec provides real-time visibility into attacks and blocked IPs. To review logs and activity:
sudo tail -f /var/log/crowdsec.log
We can also manually remove a banned IP if necessary:
sudo cscli decisions delete --ip <IP_ADDRESS>
To manually ban an IP in CrowdSec:
cscli decisions add --ip 1.2.3.4
Ban an IP in CrowdSec with duration:
cscli decisions add --ip 1.2.3.4 --duration 24h
Verify banned IPs:
cscli decisions list
Step 9: Test the pipeline end-to-end
From another host, attempt a few failed SSH logins, then confirm an alert and a decision.
# On the CrowdSec server
sudo cscli alerts list --since 1h
sudo cscli decisions list
Notes:
cscli alerts listshows detections; cscli decisions list shows active bans the bouncer enforces.
Step 10: Nginx bouncer for layer-7 blocking
If we run Nginx and want application-level checks in addition to firewall bans, install the Nginx bouncer. Packages are available for Debian/Ubuntu. After install, reload Nginx and verify the bouncer in cscli bouncers list.
sudo dnf install -y crowdsec-nginx-bouncer
sudo systemctl reload nginx
sudo cscli bouncers list
Step 11: Daily-driver commands
We keep these handy. They’re the fastest way to inspect and tune.
Health and versions
sudo cscli version
sudo cscli metrics
Hub management
sudo cscli hub list
sudo cscli hub update
sudo cscli collections upgrade --all
sudo cscli scenarios upgrade --all
Decisions and alerts
sudo cscli decisions list
sudo cscli decisions add -i <IP> -t ban -d 4h
sudo cscli decisions delete -i <IP>
sudo cscli alerts list --since 24h
sudo cscli alerts inspect -d <ALERT_ID>
Bouncer visibility
sudo cscli bouncers list
Service control
sudo systemctl status crowdsec
sudo systemctl status crowdsec-firewall-bouncer
sudo journalctl -u crowdsec -e --no-pager
Reference: cscli decisions manages bans; cscli metrics reports engine and parser activity; and the Console commands handle enrollment status and data sharing.
Conclusion
By installing and configuring CrowdSec on AlmaLinux 10, we strengthen our server’s defense with adaptive, community-driven protection. It learns from global attack patterns and shields our infrastructure from real-time threats automatically.
Combining CrowdSec’s detection with its bouncers ensures both visibility and prevention making our AlmaLinux server more secure, stable, and intelligent against evolving cyber threats.
