In this tutorial, we'll learn how to install and configure CrowdSec on AlmaLinux 9 server.
What is CrowdSec?
CrowdSec is an open-source, collaborative security solution designed to protect servers, applications, and cloud infrastructure from malicious traffic. It analyzes system and application logs in real time to detect attacks such as brute force attempts, port scans, web exploits, and bot-driven intrusions. Once a threat is identified, CrowdSec takes action through bouncers to block or challenge the attacker at the firewall, web server, or load balancer level.
Prerequisites
Before we begin, ensure we have the following:
- An AlmaLinux 9 on dedicated server or KVM VPS.
- Basic Linux Command Line Knowledge.
Install and Configure CrowdSec on AlmaLinux 9
Step 1: Update the System
Before installing any new package, it’s always wise to ensure our system is updated. This ensures compatibility and security.
sudo dnf update -y
sudo dnf install -y epel-release
Step 2: Add the CrowdSec Repository
CrowdSec is not included in AlmaLinux’s default repositories. We need to add the official CrowdSec repository first.
sudo curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash
This script automatically adds the correct repository for our system and imports the GPG key.
Step 3: Install CrowdSec
Once the repository is ready, install CrowdSec using the package manager.
sudo dnf install crowdsec -y
After installation, CrowdSec will automatically start and begin monitoring system logs.
Check its status to confirm it’s running properly:
sudo systemctl status crowdsec
If it’s inactive, enable and start it:
sudo systemctl enable --now crowdsec
Step 4: Install the CrowdSec Firewall Bouncer
The CrowdSec agent detects suspicious behavior, but we also need a “bouncer” to actively block malicious IPs. The firewall bouncer integrates with our system firewall (firewalld or nftables).
Install the firewall bouncer:
sudo dnf install crowdsec-firewall-bouncer-nftables -y
If we are using firewalld instead of nftables, we can install the respective version:
sudo dnf install crowdsec-firewall-bouncer-firewalld -y
Enable and start the bouncer service:
sudo systemctl enable --now crowdsec-firewall-bouncer
Step 5: Verify Installation
Once both services are running, check if they are communicating properly.
sudo cscli metrics
This command shows the health of the agent, bouncer, and any active scenarios.
We can also check active bans with:
sudo cscli decisions list
If everything is configured properly, CrowdSec will automatically ban any IPs showing suspicious activity, such as repeated SSH login failures or web attacks.
Step 6: Add Additional Parsers or Collections
CrowdSec uses “collections” to handle different log sources and services. For example, to protect SSH and web services, we can install these collections:
sudo cscli collections install crowdsecurity/sshd
sudo cscli collections install crowdsecurity/nginx
sudo cscli collections install crowdsecurity/http-cve
Restart CrowdSec after adding new collections:
sudo systemctl restart crowdsec
Step 7: Register with CrowdSec Console (Optional but Recommended)
Registering with the CrowdSec Console allows us to manage multiple instances and visualize attack data through a web dashboard.
Visit https://app.crowdsec.net
and create an account.
Then, link our local instance:
sudo cscli console enroll
Follow the link displayed in the terminal to complete the registration.
Step 8: Monitor and Manage
CrowdSec provides real-time visibility into attacks and blocked IPs. To review logs and activity:
sudo tail -f /var/log/crowdsec.log
We can also manually remove a banned IP if necessary:
sudo cscli decisions delete --ip <IP_ADDRESS>
Step 9: Keep CrowdSec Updated
Security tools must stay current to remain effective. Update CrowdSec regularly:
sudo cscli update
sudo cscli upgrade
Conclusion
By installing and configuring CrowdSec on AlmaLinux 9, we strengthen our server’s defense with adaptive, community-driven protection. It learns from global attack patterns and shields our infrastructure from real-time threats automatically. Combining CrowdSec’s detection with its bouncers ensures both visibility and prevention—making our AlmaLinux server more secure, stable, and intelligent against evolving cyber threats.
