__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

crowdsec Cheatsheet

← Back to cheatsheets

← Home

CrowdSec is a collaborative intrusion prevention system that analyzes behaviors, responds to attacks, and shares threat intelligence. Modern, open-source alternative to fail2ban with community-driven detection rules.

Basic Usage

  • crowdsec -h - Show help
  • crowdsec status - Show status
  • systemctl status crowdsec - Service status
  • systemctl start crowdsec - Start service
  • systemctl stop crowdsec - Stop service
  • systemctl restart crowdsec - Restart service

Configuration

  • /etc/crowdsec/config.yaml - Main configuration
  • /etc/crowdsec/acquis.yaml - Log sources
  • /etc/crowdsec/parsers/ - Parser configurations
  • /etc/crowdsec/scenarios/ - Detection scenarios
  • /etc/crowdsec/collections/ - Collection definitions

Management

  • cscli -h - CLI tool help
  • cscli hub list - List installed collections
  • cscli hub update - Update collections
  • cscli hub upgrade - Upgrade collections
  • cscli collections list - List collections
  • cscli collections install crowdsecurity/linux - Install collection
  • cscli parsers list - List parsers
  • cscli scenarios list - List scenarios

Bouncers

  • cscli bouncers list - List bouncers
  • cscli bouncers add mybouncer - Add bouncer
  • cscli bouncers delete mybouncer - Delete bouncer
  • cscli bouncers inspect mybouncer - Inspect bouncer

Decisions & Alerts

  • cscli decisions list - List active decisions
  • cscli decisions list -i 192.168.1.100 - Decisions for IP
  • cscli alerts list - List alerts
  • cscli alerts inspect <alert_id> - Inspect alert
  • cscli decisions delete -i 192.168.1.100 - Delete decision
  • cscli decisions add -i 192.168.1.100 -t ban - Add decision

Metrics & Monitoring

  • cscli metrics - Show metrics
  • cscli hub list -v - Verbose collection list
  • cscli version - Show version
  • cscli capi status - API status

Common Examples

Install Collection

cscli collections install crowdsecurity/linux

Install Linux collection.

Update Collections

cscli hub update && cscli hub upgrade

Update and upgrade all collections.

List Decisions

cscli decisions list

Show active bans.

Check IP

cscli decisions list -i 192.168.1.100

Check if IP is banned.

Add Manual Ban

cscli decisions add -i 192.168.1.100 -t ban --duration 24h

Manually ban IP for 24 hours.

Remove Ban

cscli decisions delete -i 192.168.1.100

Remove ban for IP.

View Alerts

cscli alerts list

List recent security alerts.

Service Status

systemctl status crowdsec

Check service status.

Configuration Files

  • /etc/crowdsec/config.yaml - Main config
  • /etc/crowdsec/acquis.yaml - Log acquisition
  • /var/log/crowdsec.log - Main log file
  • /var/lib/crowdsec/data/ - Database directory

Tips

  • Install collections for your services (nginx, ssh, etc.)
  • Regularly update collections: cscli hub update
  • Configure acquis.yaml to monitor your logs
  • Use bouncers to integrate with firewalls
  • Monitor decisions and alerts regularly
  • Share intelligence with community (optional)
  • More modern and flexible than fail2ban
  • Community-driven detection rules