Install and Configure CrowdSec on Rocky Linux 10

In this tutorial, we'll learn how to install and configure CrowdSec on Rocky Linux 10 server. 

What is CrowdSec?

CrowdSec is an open-source, collaborative security solution designed to protect servers, applications, and cloud infrastructure from malicious traffic. It analyzes system and application logs in real time to detect attacks such as brute force attempts, port scans, web exploits, and bot-driven intrusions. Once a threat is identified, CrowdSec takes action through bouncers to block or challenge the attacker at the firewall, web server, or load balancer level.

Prerequisites

Before we begin, ensure we have the following:

• An Rocky Linux 10 on dedicated server or KVM VPS.
• Basic Linux Command Line Knowledge.

Install and Configure CrowdSec on Rocky Linux 10

Step 1: Update the System

Before installing any new package, it’s always wise to ensure our system is updated. This ensures compatibility and security.

sudo dnf update -y
sudo dnf install -y yum-utils

Step 2: Add the CrowdSec Repository

CrowdSec is not included in Rocky Linux’s default repositories. We need to add the official CrowdSec repository first.

sudo vi /etc/yum.repos.d/crowdsec_crowdsec.repo

Add following content:

[crowdsec_crowdsec]
name=crowdsec_crowdsec
baseurl=https://packagecloud.io/crowdsec/crowdsec/el/6/$basearch
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=https://packagecloud.io/crowdsec/crowdsec/gpgkey
       https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-EDE2C695EC9A5A5C.pub.gpg
       https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-C822EDD6B39954A1.pub.gpg
       https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-FED78314A2468CCF.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

[crowdsec_crowdsec-source]
name=crowdsec_crowdsec-source
baseurl=https://packagecloud.io/crowdsec/crowdsec/el/6/SRPMS
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=https://packagecloud.io/crowdsec/crowdsec/gpgkey
       https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-EDE2C695EC9A5A5C.pub.gpg
       https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-C822EDD6B39954A1.pub.gpg
       https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-FED78314A2468CCF.pub.gpg
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300

Step 3: Install CrowdSec

Once the repository is ready, install CrowdSec using the package manager.

sudo dnf install crowdsec -y

After installation, CrowdSec will automatically start and begin monitoring system logs.

Check its status to confirm it’s running properly:

sudo systemctl status crowdsec

If it’s inactive, enable and start it:

sudo systemctl enable --now crowdsec

Step 4: Install the CrowdSec Firewall Bouncer

The CrowdSec agent detects suspicious behavior, but we also need a “bouncer” to actively block malicious IPs. The firewall bouncer integrates with our system firewall (firewalld or nftables).

Install the firewall bouncer:

sudo dnf install crowdsec-firewall-bouncer-nftables -y

If we are using firewalld instead of nftables, we can install the respective version:

sudo dnf install crowdsec-firewall-bouncer-firewalld -y

Enable and start the bouncer service:

sudo systemctl enable --now crowdsec-firewall-bouncer

Step 5: Verify Installation

Once both services are running, check if they are communicating properly.

sudo cscli metrics

This command shows the health of the agent, bouncer, and any active scenarios.

We can also check active bans with:

sudo cscli decisions list

If everything is configured properly, CrowdSec will automatically ban any IPs showing suspicious activity, such as repeated SSH login failures or web attacks.

Step 6: Add Additional Parsers or Collections

CrowdSec uses “collections” to handle different log sources and services. For example, to protect SSH and web services, we can install these collections:

sudo cscli collections install crowdsecurity/sshd
sudo cscli collections install crowdsecurity/nginx
sudo cscli collections install crowdsecurity/http-cve

Restart CrowdSec after adding new collections:

sudo systemctl restart crowdsec

By default on Ubuntu, CrowdSec reads system logs via journald and common log files. We check metrics to confirm parsers and scenarios are working.

sudo cscli metrics

Step 7: Register with CrowdSec Console (Optional but Recommended)

Registering with the CrowdSec Console allows us to manage multiple instances and visualize attack data through a web dashboard.

Visit https://app.crowdsec.net

and create an account.

Then, link our local instance:

sudo cscli console enroll

Follow the link displayed in the terminal to complete the registration.

Step 8: Monitor and Manage

CrowdSec provides real-time visibility into attacks and blocked IPs. To review logs and activity:

sudo tail -f /var/log/crowdsec.log

We can also manually remove a banned IP if necessary:

sudo cscli decisions delete --ip <IP_ADDRESS>

To manually ban an IP in CrowdSec:

cscli decisions add --ip 1.2.3.4

Ban an IP in CrowdSec with duration:

cscli decisions add --ip 1.2.3.4 --duration 24h

Verify banned IPs:

cscli decisions list

Step 9: Test the pipeline end-to-end

From another host, attempt a few failed SSH logins, then confirm an alert and a decision.

# On the CrowdSec server
sudo cscli alerts list --since 1h
sudo cscli decisions list

Notes:

• cscli alerts list shows detections; cscli decisions list shows active bans the bouncer enforces.

Step 10: Nginx bouncer for layer-7 blocking

If we run Nginx and want application-level checks in addition to firewall bans, install the Nginx bouncer. Packages are available for Debian/Ubuntu. After install, reload Nginx and verify the bouncer in cscli bouncers list.

sudo dnf install -y crowdsec-nginx-bouncer
sudo systemctl reload nginx
sudo cscli bouncers list

Step 11: Daily-driver commands

We keep these handy. They’re the fastest way to inspect and tune.

Health and versions

sudo cscli version
sudo cscli metrics

Hub management

sudo cscli hub list
sudo cscli hub update
sudo cscli collections upgrade --all
sudo cscli scenarios upgrade --all

Decisions and alerts

sudo cscli decisions list
sudo cscli decisions add -i <IP> -t ban -d 4h
sudo cscli decisions delete -i <IP>
sudo cscli alerts list --since 24h
sudo cscli alerts inspect -d <ALERT_ID>

Bouncer visibility

sudo cscli bouncers list

Service control

sudo systemctl status crowdsec
sudo systemctl status crowdsec-firewall-bouncer
sudo journalctl -u crowdsec -e --no-pager

Reference: cscli decisions manages bans; cscli metrics reports engine and parser activity; and the Console commands handle enrollment status and data sharing.

Conclusion

By installing and configuring CrowdSec on Rocky Linux 10, we strengthen our server’s defense with adaptive, community-driven protection. It learns from global attack patterns and shields our infrastructure from real-time threats automatically.

Combining CrowdSec’s detection with its bouncers ensures both visibility and prevention making our Rocky Linux server more secure, stable, and intelligent against evolving cyber threats.