Skip to main content
Version: v1.2

Install CrowdSec

For those that prefer hands-on approach, you can as well manually install crowdsec.

Install our repositories#

Installing our repositories allows you to access the latest packages of crowdsec and bouncers.


We are using service. While curl | sudo bash can be convenient for some, alternative installation methods are available.

curl -s | sudo bash

Install crowdsec#

apt install crowdsec

You now have crowdsec running ! You can move forward and install a bouncer, or take a tour of the software beforehand !


Keep in mind that CrowdSec is only in charge of the "detection", and won't block anything on its own. You need to deploy a bouncer to "apply" decisions.

Install a bouncer#

apt install crowdsec-firewall-bouncer-iptables

While we're suggesting the most common firewall bouncer, check our hub for more bouncers. Find a bouncer directly for your application (nginx, php, wordpress) or your providers (cloudflare, AWS/GCP/...)

Running cscli on macos#

While it does not make much sense to run crowdsec itself on MacOS, being able to run cscli to interact with remote crowdsec instances is very useful.

We do not currently provide prebuilt binary for MacOS, but you can:

  • Build cscli yourself
  • Use our docker image

Building cscli#

In order to build cscli from source, you will need to have at least golang 1.16 installed.

You can build from the git master branch or download a source release here.


If you choose to install from a release, make sure to download the Source code asset, not the release itself !

Once you have the code, you can run make release to build crowdsec and cscli.

The cscli binary will be located in crowdsec-$VERSION/cmd/crowdsec-cli/cscli, you can copy it anywhere in your PATH.

Using the docker image#


We do not provide ARM64 images currently, but the x86 one works fine on ARM64 Macs.

You can also use our docker image.

In order to simplify the usage, you can create a shell alias:

alias cscli="docker run --rm --entrypoint /usr/local/bin/cscli  -v PATH_TO_CROWDSEC_CONFIG:/etc/crowdsec/config.yaml -v PATH_TO_LAPI_CREDENTIALS:/etc/crowdsec/local_api_credentials.yaml -e DISABLE_ONLINE_API=true -e DISABLE_AGENT=true crowdsecurity/crowdsec:latest"


In order to use cscli with a remote crowdsec agent, you need to be able to access from the machine where cscli will run:

  • Crowdsec Local API: for most basic operations
  • Crowdsec database (this means that you cannot use sqlite): for administrative operations (adding new bouncers/machines, listing them, ...)

Create a local config.yaml (you can use the default configuration file as a base).

Update the db_config section to put the correct type, host, port, username and password.

You can refer here for more information about the database configuration.

Optionally, if you have built cscli from source, you can also update the various paths in the configuration to point them to files in your home directory for simplicity.

On the machine where LAPI is running, run cscli machines add NAME_OF_LOCAL_MACHINE -f local_machines_creds.yaml -a to generate new LAPI credentials to use for your local cscli.


The URL in the generated file will likely be wrong, make sure to update it to the actual IP or FQDN on which your LAPI is available.

Copy this file locally either to the credentials file you bind-mount in your docker container or to the file loaded by cscli (by default, /etc/crowdsec/local_api_credentials.yaml)

You are now able to use cscli from your macOS machine.

Running crowdsec on raspberry pi os/raspbian#

Please keep in mind that raspberry pi OS is designed to work on all raspberry pi versions. Even if the port target is known as armhf, it's not exactly the same target as the debian named armhf port.

The best way to have a crowdsec version for such an architecture is to do:

  1. install golang (all versions from 1.16 will do)
  2. export GOARCH=arm
  3. export CGO=1
  4. Update the GOARCH variable in the Makefile to arm
  5. install the arm gcc cross compilator (On debian the package is gcc-arm-linux-gnueabihf)
  6. Compile crowdsec using the usual make command