## 🚀 How to Install CrowdSec on Ubuntu This tutorial will guide you through installing the **CrowdSec Agent** (which detects threats) and the **Firewall Bouncer** (which blocks them) on an Ubuntu system. ### Prerequisites * An Ubuntu server (e.g., 20.04, 22.04). * Access to a user account with `sudo` privileges. * Internet access to download the packages. ----- ### Step 1: Add the CrowdSec Repository First, you need to add the official CrowdSec package repository to your system. 1. Update your package lists to ensure you have the latest information: ```bash sudo apt update ``` 2. Install the `curl` utility if it's not already present: ```bash sudo apt install curl ``` 3. Run the official CrowdSec installation script. This script will automatically detect your OS and add the correct repository: ```bash curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash ``` ----- ### Step 2: Install the CrowdSec Agent Now that the repository is added, you can install the **CrowdSec agent**. This is the core component that reads your logs (like SSH, web server, etc.) to detect malicious behavior. 1. Install the `crowdsec` package: ```bash sudo apt install crowdsec ``` 2. The service should start automatically. You can verify that it's running: ```bash sudo systemctl status crowdsec ``` You should see `active (running)` in the output. ----- ### Step 3: Install a Bouncer The agent *detects* threats, but it doesn't *block* them by default. For that, you need a **Bouncer**. The most common bouncer integrates with your server's firewall. 1. Install the CrowdSec firewall bouncer. This example uses `iptables`, which is common. ```bash sudo apt install crowdsec-firewall-bouncer-iptables ``` > **Note:** If your system uses `nftables` (common on newer Ubuntu versions), you might prefer `sudo apt install crowdsec-firewall-bouncer-nftables` instead. 2. After installation, the bouncer service should also start automatically. ----- ### Step 4: Verify the Installation Let's check if the agent and the bouncer are communicating correctly using the CrowdSec command-line interface, `cscli`. 1. **Check bouncer status:** ```bash sudo cscli bouncers list ``` You should see your `crowdsec-firewall-bouncer-iptables` listed, and it should show as **validated** (`✔`). 2. **Check agent metrics:** This command shows if the agent is reading logs and parsing them. ```bash sudo cscli metrics ``` You'll see counters for things like "lines read" and "lines parsed." This confirms the agent is working. ----- ### Step 5: Install Collections (Important\!) By default, CrowdSec installs basic collections (like for `sshd`). To protect other services, you must **install collections** for them. A collection is a set of parsers (to understand logs) and scenarios (to detect attacks). 1. **List installed collections:** ```bash sudo cscli collections list ``` You will likely see `crowdsec/linux` and `crowdsec/sshd`. 2. **Install new collections:** You *must* install collections for the software you run. For example, if you run an Nginx web server: ```bash sudo cscli collections install crowdsec/nginx ``` Or for an Apache web server: ```bash sudo cscli collections install crowdsec/apache2 ``` You can find all available collections on the [CrowdSec Hub](https://hub.crowdsec.net/). ### ✅ Installation Complete\! Your CrowdSec agent is now monitoring your logs, and the firewall bouncer is ready to block any IPs that trigger a security scenario. You can monitor active decisions (blocks) at any time by running: ```bash sudo cscli decisions list ```