remco/Epicnabbo-Catalogus-Updated-Daily
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9e71eb151e695c06fd32e59bd62014883029fdbd
Epicnabbo-Catalogus-Updated…/extra tuts/crowdsecinstall ubuntu.md
T
Remco fa18685c8b 🆙 Add more tuts 🆙
2025-11-06 19:06:43 +01:00

3.7 KiB
Raw Blame History

🚀 How to Install CrowdSec on Ubuntu

This tutorial will guide you through installing the CrowdSec Agent (which detects threats) and the Firewall Bouncer (which blocks them) on an Ubuntu system.

Prerequisites

  • An Ubuntu server (e.g., 20.04, 22.04).
  • Access to a user account with sudo privileges.
  • Internet access to download the packages.

Step 1: Add the CrowdSec Repository

First, you need to add the official CrowdSec package repository to your system.

  1. Update your package lists to ensure you have the latest information: 
    sudo apt update
  2. Install the curl utility if it's not already present: 
    sudo apt install curl
  3. Run the official CrowdSec installation script. This script will automatically detect your OS and add the correct repository: 
    curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash

Step 2: Install the CrowdSec Agent

Now that the repository is added, you can install the CrowdSec agent. This is the core component that reads your logs (like SSH, web server, etc.) to detect malicious behavior.

  1. Install the crowdsec package: 
    sudo apt install crowdsec
  2. The service should start automatically. You can verify that it's running: 
    sudo systemctl status crowdsec
    You should see active (running) in the output.

Step 3: Install a Bouncer

The agent detects threats, but it doesn't block them by default. For that, you need a Bouncer. The most common bouncer integrates with your server's firewall.

  1. Install the CrowdSec firewall bouncer. This example uses iptables, which is common.

    sudo apt install crowdsec-firewall-bouncer-iptables

    Note: If your system uses nftables (common on newer Ubuntu versions), you might prefer sudo apt install crowdsec-firewall-bouncer-nftables instead.

  2. After installation, the bouncer service should also start automatically.

Step 4: Verify the Installation

Let's check if the agent and the bouncer are communicating correctly using the CrowdSec command-line interface, cscli.

  1. Check bouncer status:

    sudo cscli bouncers list

    You should see your crowdsec-firewall-bouncer-iptables listed, and it should show as validated ().

  2. Check agent metrics: This command shows if the agent is reading logs and parsing them.

    sudo cscli metrics

    You'll see counters for things like "lines read" and "lines parsed." This confirms the agent is working.

Step 5: Install Collections (Important!)

By default, CrowdSec installs basic collections (like for sshd). To protect other services, you must install collections for them. A collection is a set of parsers (to understand logs) and scenarios (to detect attacks).

  1. List installed collections:

    sudo cscli collections list

    You will likely see crowdsec/linux and crowdsec/sshd.

  2. Install new collections: You must install collections for the software you run. For example, if you run an Nginx web server:

    sudo cscli collections install crowdsec/nginx

    Or for an Apache web server:

    sudo cscli collections install crowdsec/apache2

    You can find all available collections on the CrowdSec Hub.

Installation Complete!

Your CrowdSec agent is now monitoring your logs, and the firewall bouncer is ready to block any IPs that trigger a security scenario. You can monitor active decisions (blocks) at any time by running:

sudo cscli decisions list
Reference in New Issue View Git Blame Copy Permalink