CrowdSec: Behavioral Intrusion Detection for Self-Hosted Infrastructure
Learn how to deploy CrowdSec on your self-hosted server. Covers log acquisition, scenario tuning, Cloudflare bouncer integration, and community threat intelligence for automated IP blocking.
INTRUSION DETECTION
Why Static Firewall Rules Are No Longer Enough
Traditional firewall rules are static. You define what is allowed and what is blocked — and everything else passes through unexamined. This model works well for known threats but fails completely against behavioral attacks: credential stuffing, slow-rate probing, distributed brute force, and vulnerability scanning that stays just below rate-limit thresholds.
CrowdSec takes a different approach. Instead of matching traffic against static rules, it analyzes your server logs in real time and detects attack patterns through behavioral scenarios. When a pattern matches — too many 404s, repeated authentication failures, systematic path probing — CrowdSec automatically bans the offending IP.
What makes CrowdSec uniquely powerful for self-hosters is its community intelligence layer. Every CrowdSec installation shares anonymized attack data with a central hub. When your server detects an attacker, that IP gets flagged for every other CrowdSec user globally. You benefit from the collective defense of thousands of servers without sharing any sensitive data. Cloudflare Tunnel guide
CrowdSec vs Traditional IPS
Unlike traditional intrusion prevention systems, CrowdSec separates detection from enforcement. The detection engine analyzes logs and makes decisions. Bouncers — separate components — enforce those decisions at whatever layer makes sense for your architecture: the firewall, the reverse proxy, or the CDN edge.
How CrowdSec Processes and Blocks Threats
CrowdSec reads your service logs, runs them through behavioral scenarios, and pushes ban decisions to bouncers that enforce blocking at the appropriate layer.
From raw log line to edge-level IP block — the complete CrowdSec decision pipeline
Log-Based Detection
CrowdSec reads existing log files — no traffic mirroring or inline proxy required. Works with any service that writes logs.
Behavioral Scenarios
Detection is based on patterns over time, not individual requests. Slow attacks that bypass rate limits are caught by scenario logic.
Decoupled Enforcement
Bouncers enforce bans independently of the detection engine. A Cloudflare bouncer blocks at the edge; a firewall bouncer blocks at the OS level.
Community Intelligence
Confirmed attackers are shared with the CrowdSec Hub. Your installation receives pre-emptive blocks for IPs already flagged by the community.
CrowdSec Deployment Process
From installation to active protection — the complete setup sequence for a self-hosted environment behind Cloudflare Tunnel.
Install CrowdSec on your server. The agent runs as a systemd service and requires access to your service log files.
Configure log acquisition. Tell CrowdSec which log files to watch and which parser to use for each service type.
Install the collections for your services. Collections bundle the parsers and scenarios needed for specific software like Traefik, Nginx, or SSH.
Deploy a bouncer. For Cloudflare Tunnel architectures, the Cloudflare Worker Bouncer enforces bans at the edge using Cloudflare KV storage.
Tune your scenarios. Adjust thresholds and capacities to match your traffic baseline and reduce false positives.
ARCHITECTURE
Integrating CrowdSec with Cloudflare Tunnel
The Challenge of Tunnel Architectures
When running behind Cloudflare Tunnel, traditional bouncers — Traefik Plugin Bouncer, Firewall Bouncer — do not work as expected. All traffic arrives from Cloudflare's edge nodes, so firewall-level blocking only affects Cloudflare's own IPs, not the actual attackers. The real client IP is carried in the CF-Connecting-IP header, not the connection source.
The correct architecture for Cloudflare Tunnel environments is the Cloudflare Worker Bouncer. Instead of blocking at your server, it pushes ban decisions to Cloudflare KV storage. A Cloudflare Worker intercepts requests at the edge and blocks banned IPs before they reach your tunnel — the attack never makes it to your origin.
Real IP Extraction
For CrowdSec to make correct ban decisions, it must analyze the real client IP from logs — not Cloudflare's edge IP. This requires a custom parser that extracts the client IP from the CF-Connecting-IP field in your reverse proxy logs. Without this parser, CrowdSec bans Cloudflare's infrastructure instead of the actual attacker. Traefik guide Zero-Exposure guide
Log Acquisition for Traefik
Traefik writes access logs in a structured format that CrowdSec can parse with the official Traefik collection. Configure log acquisition to point at your Traefik access log file and specify the Traefik log type. CrowdSec will immediately begin processing existing log entries and continue in real time.
REMOTE ACCESS
Protect Your Admin Sessions
A zero-exposure architecture secures your server. A VPN secures you — encrypting your connection when managing infrastructure from untrusted networks, coffee shops, or travel. NordVPN is what we use for this layer.
Try NordVPNThis is an affiliate link. If you purchase, I earn a commission at no extra cost to you.
CrowdSec Defense Layers
A complete CrowdSec deployment covers multiple attack vectors simultaneously. Each layer handles a different class of threat.
- Blocks banned IPs at Cloudflare's edge before reaching origin • Decisions stored in Cloudflare KV — zero latency enforcement • Covers all hostnames under your Cloudflare zone simultaneously • Ban decisions persist across Worker restarts
- HTTP probing detection — catches systematic path and vulnerability scanning • Brute force detection for login endpoints and admin interfaces • 400/401/403 flood detection for credential stuffing attempts • Generic HTTP flood detection tuned to your baseline traffic
- Automatic subscription to CrowdSec's community blocklist • Pre-emptive blocks for IPs with confirmed malicious history • Blocklist refreshes on a configurable schedule • Anonymized data sharing — no sensitive content leaves your server
- Daily hub updates via cron to keep scenarios and parsers current • Manual unban capability for false positive remediation • Decision audit log for security incident review • Metrics endpoint for Grafana integration
CrowdSec's Traefik Plugin Bouncer and Firewall Bouncer are incompatible with Cloudflare Tunnel architectures. Both attempt to block at the server level, but all traffic arrives from Cloudflare's IP range — blocking has no effect on actual attackers. Use only the Cloudflare Worker Bouncer for tunnel-based deployments. Attempting to run incompatible bouncers alongside the Worker Bouncer creates conflicting decision enforcement and should be avoided.
CrowdSec Collections by Service Type
Collections bundle the parsers and scenarios needed for each service. Install the collection for every service whose logs CrowdSec monitors.
Reverse Proxy
Traefik and Nginx collections provide HTTP access log parsing and web attack scenarios. Essential for any internet-facing infrastructure.
SSH
The base Linux collection includes SSH brute force detection. Critical for any server with SSH enabled, even on non-standard ports.
Web Applications
Application-specific collections for WordPress, Nextcloud, and similar platforms detect application-layer attacks that generic HTTP scenarios miss.
Custom Parsers
When your log format is non-standard — custom applications, modified log patterns — a custom parser maps your fields to CrowdSec's internal schema.
CrowdSec Production Checklist
Verify each item before considering your CrowdSec deployment production-ready.