May 06, 2025 · Privacy & Self-Hosting / Intermediate · ~2 MIN READ
How to Set Up CrowdSec for Home Lab Security
Detect suspicious authentication and web activity and enforce blocks through the correct CrowdSec remediation bouncer.
Who This Is For
Intermediate.
Think of it like a neighbourhood watch that actually shares notes. One house spots a suspicious car circling the block, and now the whole street knows to watch for it too.
What You’ll Build
CrowdSec detects SSH or web events and applies an enforceable block through the correct bouncer component.
Prerequisites
- A Linux host with SSH and/or Nginx logs to monitor
Detection vs. Enforcement
CrowdSec’s security engine only detects events from logs. A separate bouncer component is what actually enforces a block, pick the right one for the job: a firewall bouncer for host-level protection, or an Nginx bouncer for web applications.
Install CrowdSec
$ curl -s https://install.crowdsec.net | sudo sh
Configure Log Acquisition
Point CrowdSec at your SSH logs, Nginx/reverse-proxy logs, and any Docker logs worth watching, then install the matching collections (e.g. crowdsecurity/sshd, crowdsecurity/nginx).
Install a Bouncer
$ sudo apt install crowdsec-firewall-bouncer-iptables
Test Safely
Trigger a controlled failed-login test from a machine you control, then confirm a decision was issued:
$ sudo cscli decisions list
Whitelist Trusted Networks
Carefully whitelist your own internal subnets and remote-access IP so you don’t accidentally ban yourself.
Send Alerts
Wire up notifications to Discord, email, or another channel so you actually see what CrowdSec is blocking.
Security & Backup Notes
- If the reverse proxy hides the real client IP from CrowdSec, every ban will target the proxy itself, configure trusted proxy headers correctly first
Troubleshooting
- Engine sees logs but blocks nothing, no bouncer is installed, or it’s the wrong type for this traffic
- Wrong bouncer type, a firewall bouncer won’t help with application-layer web attacks; use the Nginx bouncer for those
- Reverse proxy hides the actual client IP, configure
X-Forwarded-Forhandling correctly, or bans will hit the proxy - Locking yourself out, always whitelist your own management IPs before testing
Lab Finish Line
CrowdSec detects SSH or web events and applies an enforceable decision through a bouncer.