remco/Epicnabbo-Catalogus-Updated-Daily
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e5aa2e8e91d930da3fef3f8a480aedb26bd536c9
Epicnabbo-Catalogus-Updated…/extra tuts/crowdsecinstall ubuntu.md
T
Remco fa18685c8b 🆙 Add more tuts 🆙
2025-11-06 19:06:43 +01:00

120 lines
3.7 KiB
Markdown
Raw Blame History

## 🚀 How to Install CrowdSec on Ubuntu
This tutorial will guide you through installing the **CrowdSec Agent** (which detects threats) and the **Firewall Bouncer** (which blocks them) on an Ubuntu system.
### Prerequisites
* An Ubuntu server (e.g., 20.04, 22.04).
* Access to a user account with `sudo` privileges.
* Internet access to download the packages.
-----
### Step 1: Add the CrowdSec Repository
First, you need to add the official CrowdSec package repository to your system.
1. Update your package lists to ensure you have the latest information:
```bash
sudo apt update
```
2. Install the `curl` utility if it's not already present:
```bash
sudo apt install curl
```
3. Run the official CrowdSec installation script. This script will automatically detect your OS and add the correct repository:
```bash
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
```
-----
### Step 2: Install the CrowdSec Agent
Now that the repository is added, you can install the **CrowdSec agent**. This is the core component that reads your logs (like SSH, web server, etc.) to detect malicious behavior.
1. Install the `crowdsec` package:
```bash
sudo apt install crowdsec
```
2. The service should start automatically. You can verify that it's running:
```bash
sudo systemctl status crowdsec
```
You should see `active (running)` in the output.
-----
### Step 3: Install a Bouncer
The agent *detects* threats, but it doesn't *block* them by default. For that, you need a **Bouncer**. The most common bouncer integrates with your server's firewall.
1. Install the CrowdSec firewall bouncer. This example uses `iptables`, which is common.
```bash
sudo apt install crowdsec-firewall-bouncer-iptables
```
> **Note:** If your system uses `nftables` (common on newer Ubuntu versions), you might prefer `sudo apt install crowdsec-firewall-bouncer-nftables` instead.
2. After installation, the bouncer service should also start automatically.
-----
### Step 4: Verify the Installation
Let's check if the agent and the bouncer are communicating correctly using the CrowdSec command-line interface, `cscli`.
1. **Check bouncer status:**
```bash
sudo cscli bouncers list
```
You should see your `crowdsec-firewall-bouncer-iptables` listed, and it should show as **validated** (``).
2. **Check agent metrics:** This command shows if the agent is reading logs and parsing them.
```bash
sudo cscli metrics
```
You'll see counters for things like "lines read" and "lines parsed." This confirms the agent is working.
-----
### Step 5: Install Collections (Important\!)
By default, CrowdSec installs basic collections (like for `sshd`). To protect other services, you must **install collections** for them. A collection is a set of parsers (to understand logs) and scenarios (to detect attacks).
1. **List installed collections:**
```bash
sudo cscli collections list
```
You will likely see `crowdsec/linux` and `crowdsec/sshd`.
2. **Install new collections:** You *must* install collections for the software you run. For example, if you run an Nginx web server:
```bash
sudo cscli collections install crowdsec/nginx
```
Or for an Apache web server:
```bash
sudo cscli collections install crowdsec/apache2
```
You can find all available collections on the [CrowdSec Hub](https://hub.crowdsec.net/).
### ✅ Installation Complete\!
Your CrowdSec agent is now monitoring your logs, and the firewall bouncer is ready to block any IPs that trigger a security scenario. You can monitor active decisions (blocks) at any time by running:
```bash
sudo cscli decisions list
```
Reference in New Issue View Git Blame Copy Permalink