Skip to main content

Introduction

What is CrowdSec Security Engine?

The Security Engine is a collaborative and lightweight Intrusion Detection System (IDS) and Web Application Firewall (WAF).

It begins by reading logs specified in acquisitions, then uses parsers to structure the information. This data is evaluated against scenarios, which are designed to detect specific types of attacks or suspicious patterns.

When an attack is identified, CrowdSec can apply a remediation, based on rules defined in profiles.

What makes CrowdSec unique is its collaborative threat intelligence system, where each protected system contributes to a community blocklist that helps everyone stay better protected.

What is a Remediation Component?

Remediation Components are software packages that connect to the Local API (LAPI) and enforce decisions made by the Security Engine.

Previously referred to as bouncers, these components can operate independently, such as the Firewall Remediation, which integrates with iptables, nftables, or pf. They can also be embedded directly into existing applications, such as Nginx, where Lua is used to enforce decisions at runtime.

This is often referred to as the Intrusion Prevention System (IPS) layer that complements the Intrusion Detection System (IDS) role of the Security Engine. They do not make decisions on their own; instead, they act based on what the Security Engine instructs.

Architecture Diagram

Prerequisites

We recommend that you understand the following prerequisites before installing CrowdSec:

Hardware

CrowdSec is a lightweight software that can run on most modern hardware.

However, the recommendation is at least:

  • platform:
    • amd64
    • arm64
    • armhf
  • 1 CPU core
  • 100mb of free RAM
  • 1GB of free disk space

We recommend 1gb of free disk space due to the amount of data that can be stored in the database.

Operating System

We support the following operating systems:

Ports

CrowdSec Security Engine uses the following default ports (bound to localhost/loopback by default) - these can be altered after installation:

  • 6060/tcp: Prometheus metrics port
  • 8080/tcp: API port

Resources

Complete Introduction

Complete Introduction

Watch a short series of videos on how to install CrowdSec and protect your infrastructure

Learn with CrowdSec Academy