CrowdSec | Support by cloudimg

Overview

CrowdSec is a free and open source, collaborative behavioural security engine. It parses logs, detects aggressive and malicious behaviour using a curated library of detection scenarios, and remediates by blocking the offending source IPs. This image delivers CrowdSec fully installed and running as a system service, with detection collections installed and a firewall remediation bouncer already enforcing decisions, so a host intrusion detection and prevention appliance is protecting the box within minutes of launch.

Detection Engine

The crowdsec agent installed from the official package repository and run by the bundled systemd service, started on boot and restarted on failure. It tails the system journal and the SSH authentication log, runs the events through the installed parsers and scenarios, and records its verdicts as decisions in the embedded Local API. The Linux and SSH detection collections ship installed, so brute-force and credential-stuffing behaviour against the host is detected out of the box. Add more collections from the hub to cover web servers, proxies, mail servers and dozens of other applications.

Firewall Remediation

The firewall bouncer installed and run by its own systemd service polls the Local API for active decisions and enforces them in iptables and ipset, so an attacking IP is dropped at the host firewall the moment a scenario fires. The bouncer authenticates to the engine with a per-instance API key generated on first boot, so no shared secret ships in the image.

Local API And State

The embedded Local API is bound to loopback and backed by a local database on a dedicated, independently resizable data disk, holding the machines, bouncers, alerts and decisions. Drive the engine entirely from the command line: list decisions, inspect metrics, add and remove bans, register additional bouncers and browse the detection hub. There is no web interface to secure: the API is private by default.

Ready To Use

Connect over SSH and the engine is already running and protecting the host. Read the welcome notes, review the active decisions and metrics, install the collections that match your workloads, point the acquisition at your own log sources and the bans are enforced automatically. The Local API database and engine state live on a dedicated data disk.

cloudimg Support

24/7 technical support by email and chat. Help with log acquisition configuration, collection and scenario selection, parser and whitelist tuning, bouncer deployment, central console enrolment, allowlisting and upgrade planning.

Use Cases

Host intrusion detection and prevention for an internet-facing server. SSH brute-force protection that bans attacking IPs at the firewall automatically. A behavioural security layer for a web server, reverse proxy or application host. A building block for a fleet-wide collaborative security posture.

All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.