In this tutorial, we'll learn how to install and configure CrowdSec on Ubuntu 24.04 server.
What is CrowdSec?
CrowdSec is an open-source, collaborative security solution designed to protect servers, applications, and cloud infrastructure from malicious traffic. It analyzes system and application logs in real time to detect attacks such as brute force attempts, port scans, web exploits, and bot-driven intrusions. Once a threat is identified, CrowdSec takes action through bouncers to block or challenge the attacker at the firewall, web server, or load balancer level.
Prerequisites
Before we begin, ensure we have the following:
- An Ubuntu 24.04 on dedicated server or KVM VPS.
- Basic Linux Command Line Knowledge.
Install and Configure CrowdSec on Ubuntu 24.04
1) Prep the server
We keep packages fresh and confirm time sync. CrowdSec relies on accurate timestamps.
sudo apt update && sudo apt upgrade -y
sudo timedatectl set-ntp true
If UFW is enabled, note that Ubuntu 24.04 uses an nftables backend by default. This matters because we’ll install the nftables firewall bouncer.
sudo ufw status verbose
sudo nft list ruleset | head -n 20
2) Install CrowdSec (Security Engine)
Use the official install script to add the repository and packages. It tracks the latest stable build for Debian/Ubuntu.
curl -s https://install.crowdsec.net | sudo sh
sudo apt update
sudo apt install -y crowdsec
Confirm the service:
systemctl status crowdsec --no-pager
sudo cscli version
The Security Engine runs and exposes a Local API for bouncers.
3) Install a firewall bouncer (nftables)
On Ubuntu 24.04 we prefer the nftables bouncer so bans happen at the kernel firewall. The package wires itself to the Local API and adds a systemd unit.
sudo apt install -y crowdsec-firewall-bouncer-nftables
sudo systemctl enable --now crowdsec-firewall-bouncer
systemctl status crowdsec-firewall-bouncer --no-pager
sudo cscli bouncers list
If UFW is actively managing rules and we want nftables directly, either keep UFW alongside or disable UFW to avoid conflicting manual nftables edits. Pick one policy and stick to it.
4) Enable practical scenarios and collections
CrowdSec ships with a minimal set. We add common protections: SSH brute-force, generic HTTP probing, and a Linux baseline. Commands below show what’s available and install the good stuff.
See everything on the Hub
sudo cscli collections list -a
sudo cscli scenarios list -a
Install useful baseline collections/scenarios
sudo cscli collections install crowdsecurity/linux
sudo cscli scenarios install crowdsecurity/ssh-bf crowdsecurity/http-probing
Apply and restart the engine
sudo systemctl reload crowdsec
If we run Nginx or Apache later, just add the matching collections:
Example for web stacks (do this only if those services exist)
sudo cscli collections install crowdsecurity/nginx
sudo cscli collections install crowdsecurity/apache2
sudo systemctl reload crowdsec
5) Verify logs are being ingested
By default on Ubuntu, CrowdSec reads system logs via journald and common log files. We check metrics to confirm parsers and scenarios are working.
sudo cscli metrics
# Focus on sections: acquisition, parsers, scenarios
6) Test the pipeline end-to-end
From another host, attempt a few failed SSH logins, then confirm an alert and a decision.
# On the CrowdSec server
sudo cscli alerts list --since 1h
sudo cscli decisions list
Notes:
cscli alerts listshows detections; cscli decisions list shows active bans the bouncer enforces.
7) Optional: Nginx bouncer for layer-7 blocking
If we run Nginx and want application-level checks in addition to firewall bans, install the Nginx bouncer. Packages are available for Debian/Ubuntu. After install, reload Nginx and verify the bouncer in cscli bouncers list.
sudo apt install -y crowdsec-nginx-bouncer
sudo systemctl reload nginx
sudo cscli bouncers list
8) Optional: Enroll in CrowdSec Console
The Console gives us a central dashboard for instances and alerts. Create an account, get the enroll key, then enable data needed for the dashboard. Validate the enrollment in the web app.
sudo cscli console enroll <ENROLL_KEY>
sudo cscli console enable -a
sudo systemctl reload crowdsec
9) Daily-driver commands
We keep these handy. They’re the fastest way to inspect and tune.
Health and versions
sudo cscli version
sudo cscli metrics
Hub management
sudo cscli hub list
sudo cscli hub update
sudo cscli collections upgrade --all
sudo cscli scenarios upgrade --all
Decisions and alerts
sudo cscli decisions list
sudo cscli decisions add -i <IP> -t ban -d 4h
sudo cscli decisions delete -i <IP>
sudo cscli alerts list --since 24h
sudo cscli alerts inspect -d <ALERT_ID>
Bouncer visibility
sudo cscli bouncers list
Service control
sudo systemctl status crowdsec
sudo systemctl status crowdsec-firewall-bouncer
sudo journalctl -u crowdsec -e --no-pager
Reference: cscli decisions manages bans; cscli metrics reports engine and parser activity; and the Console commands handle enrollment status and data sharing.
10) Updates and maintenance
Keep both the engine and the Hub current:
Packages
sudo apt update && sudo apt install --only-upgrade crowdsec crowdsec-firewall-bouncer-nftables
Hub content
sudo cscli hub update
sudo cscli collections upgrade --all
sudo cscli scenarios upgrade --all
Quick sanity check after upgrades
sudo cscli metrics
11) Troubleshooting fast
Bouncer not listed or not authenticating: rerun the firewall bouncer install so it re-generates API credentials, then restart the bouncer.
sudo apt reinstall -y crowdsec-firewall-bouncer-nftables
sudo systemctl restart crowdsec-firewall-bouncer
sudo cscli bouncers list
No bans despite alerts: confirm the firewall bouncer service is running and nftables has a CrowdSec chain populated.
systemctl is-active crowdsec-firewall-bouncer
sudo nft list ruleset | grep -i crowdsec -n
Nothing shows in metrics: check journald permissions and verify acquisition is reading from sources; then reload.
sudo journalctl -u crowdsec -e --no-pager
sudo cscli metrics
Conclusion
We walked through a complete installation and configuration of CrowdSec on Ubuntu 24.04, set up the firewall bouncer, added essential security collections, and explored key commands for monitoring and maintaining the system. By enabling CrowdSec, we create a proactive defense layer that detects real-time threats and blocks attackers before they cause harm.
CrowdSec gives us a modern and effective way to safeguard our platform, reduce attack surface, and stay ahead of constantly evolving cyber threats.
