SKIP TO CONTENT
FL1GHT5 Network

May 06, 2025 · Privacy & Self-Hosting / Intermediate · ~2 MIN READ

How to Set Up CrowdSec for Home Lab Security

Detect suspicious authentication and web activity and enforce blocks through the correct CrowdSec remediation bouncer.

Who This Is For

Intermediate.

Think of it like a neighbourhood watch that actually shares notes. One house spots a suspicious car circling the block, and now the whole street knows to watch for it too.

What You’ll Build

CrowdSec detects SSH or web events and applies an enforceable block through the correct bouncer component.

Prerequisites

  • A Linux host with SSH and/or Nginx logs to monitor

Detection vs. Enforcement

CrowdSec’s security engine only detects events from logs. A separate bouncer component is what actually enforces a block, pick the right one for the job: a firewall bouncer for host-level protection, or an Nginx bouncer for web applications.

Install CrowdSec

$ curl -s https://install.crowdsec.net | sudo sh

Configure Log Acquisition

Point CrowdSec at your SSH logs, Nginx/reverse-proxy logs, and any Docker logs worth watching, then install the matching collections (e.g. crowdsecurity/sshd, crowdsecurity/nginx).

Install a Bouncer

$ sudo apt install crowdsec-firewall-bouncer-iptables

Test Safely

Trigger a controlled failed-login test from a machine you control, then confirm a decision was issued:

$ sudo cscli decisions list

Whitelist Trusted Networks

Carefully whitelist your own internal subnets and remote-access IP so you don’t accidentally ban yourself.

Send Alerts

Wire up notifications to Discord, email, or another channel so you actually see what CrowdSec is blocking.

Security & Backup Notes

  • If the reverse proxy hides the real client IP from CrowdSec, every ban will target the proxy itself, configure trusted proxy headers correctly first

Troubleshooting

  • Engine sees logs but blocks nothing, no bouncer is installed, or it’s the wrong type for this traffic
  • Wrong bouncer type, a firewall bouncer won’t help with application-layer web attacks; use the Nginx bouncer for those
  • Reverse proxy hides the actual client IP, configure X-Forwarded-For handling correctly, or bans will hit the proxy
  • Locking yourself out, always whitelist your own management IPs before testing

Lab Finish Line

CrowdSec detects SSH or web events and applies an enforceable decision through a bouncer.

What to Build Next

NEXT STEP

Want this running in your business?

Everything in the Lab is a service we deliver. If this guide describes your problem, skip the DIY weekend — send the brief.

FIVE MINUTES TO WRITE · A WRITTEN PLAN BACK · NO SALES CALL UNLESS YOU WANT ONE