crowdsec

CrowdSec is an open-source security tool written in Go that monitors your server logs and incoming HTTP requests for signs of malicious behavior, then blocks the responsible IP addresses. It reads log files from services like web servers, SSH daemons, and others, looking for patterns such as brute-force login attempts, port scans, or automated web crawlers probing for weaknesses. The detection side functions as an intrusion detection system; the actual blocking is handled by separate components you install alongside it.

What distinguishes CrowdSec from a standalone firewall is its community sharing model. When your installation detects and reports a malicious IP address, that data is contributed to a shared network. In return, your server receives the Community Blocklist: a live feed of IP addresses already flagged by CrowdSec users around the world. Your server can start blocking known bad actors before they ever attempt to reach you, based on attacks other users have already seen.

Detection rules are called scenarios and are available under the MIT license on the project hub. The hub lets you browse and install pre-built scenarios for common attack types, or write your own. Blocking is applied through remediation components, also called bouncers, which you install at different points in your infrastructure: the firewall, a CDN, a specific application, or a Kubernetes ingress controller.

CrowdSec installs on Linux, Windows, Docker, Kubernetes, and several other platforms. A web console is available for visualizing security events and managing configuration. Premium blocklists and additional threat intelligence are available as paid offerings on top of the free open-source core.