Overview
CrowdSec engine and bouncer running
cscli version reporting 1.7.8 and cscli lapi status confirming the agent authenticates to the loopback Local API, with the crowdsec and firewall-bouncer services active.
CrowdSec engine and bouncer running
cscli metrics and collections
Decisions and firewall bouncer
This is a repackaged open source software product wherein additional charges apply for cloudimg support services.
Overview CrowdSec is a free and open source, collaborative behavioural security engine. It parses logs, detects aggressive and malicious behaviour using a curated library of detection scenarios, and remediates by blocking the offending source IPs. This image delivers CrowdSec fully installed and running as a system service, with detection collections installed and a firewall remediation bouncer already enforcing decisions, so a host intrusion detection and prevention appliance is protecting the box within minutes of launch.
Detection Engine The crowdsec agent installed from the official package repository and run by the bundled systemd service, started on boot and restarted on failure. It tails the system journal and the SSH authentication log, runs the events through the installed parsers and scenarios, and records its verdicts as decisions in the embedded Local API. The Linux and SSH detection collections ship installed, so brute-force and credential-stuffing behaviour against the host is detected out of the box. Add more collections from the hub to cover web servers, proxies, mail servers and dozens of other applications.
Firewall Remediation The firewall bouncer installed and run by its own systemd service polls the Local API for active decisions and enforces them in iptables and ipset, so an attacking IP is dropped at the host firewall the moment a scenario fires. The bouncer authenticates to the engine with a per-instance API key generated on first boot, so no shared secret ships in the image.
Local API And State The embedded Local API is bound to loopback and backed by a local database on a dedicated, independently resizable data disk, holding the machines, bouncers, alerts and decisions. Drive the engine entirely from the command line: list decisions, inspect metrics, add and remove bans, register additional bouncers and browse the detection hub. There is no web interface to secure: the API is private by default.
Ready To Use Connect over SSH and the engine is already running and protecting the host. Read the welcome notes, review the active decisions and metrics, install the collections that match your workloads, point the acquisition at your own log sources and the bans are enforced automatically. The Local API database and engine state live on a dedicated data disk.
cloudimg Support 24/7 technical support by email and chat. Help with log acquisition configuration, collection and scenario selection, parser and whitelist tuning, bouncer deployment, central console enrolment, allowlisting and upgrade planning.
Use Cases Host intrusion detection and prevention for an internet-facing server. SSH brute-force protection that bans attacking IPs at the firewall automatically. A behavioural security layer for a web server, reverse proxy or application host. A building block for a fleet-wide collaborative security posture.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Highlights
- CrowdSec, the open source MIT-licensed collaborative behavioural security engine (IDS/IPS), preinstalled and running as a systemd service with the Linux and SSH detection collections installed, no manual setup required
- The firewall remediation bouncer is installed and active, polling the loopback Local API and enforcing bans in iptables and ipset with a per-instance API key generated on first boot, so attacking IPs are dropped at the host firewall automatically
- Drive the engine from the command line to list decisions, inspect metrics, add bans and install hub collections, with the Local API database on a dedicated, independently resizable data disk and 24/7 technical support from cloudimg
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Free trial
- ...
Dimension | Description | Cost/hour |
|---|---|---|
t3.small Recommended | t3.small | $0.05 |
t2.micro | t2.micro instance type | $0.04 |
t3.micro | t3.micro instance type | $0.04 |
c5a.12xlarge | c5a.12xlarge instance type | $0.24 |
c5a.16xlarge | c5a.16xlarge instance type | $0.24 |
c5a.24xlarge | c5a.24xlarge instance type | $0.24 |
c5a.2xlarge | c5a.2xlarge instance type | $0.24 |
c5a.4xlarge | c5a.4xlarge instance type | $0.24 |
c5a.8xlarge | c5a.8xlarge instance type | $0.24 |
c5a.large | c5a.large instance type | $0.08 |
Vendor refund policy
Refunds available on request.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Initial release of CrowdSec 1.7.8, the open source collaborative behavioural security engine, as a ready-to-use detection and firewall-remediation service with the Linux and SSH collections installed.
Additional details
Usage instructions
Connect via SSH on port 22 as the default login user for your operating system variant (the user guide lists it per variant). This is a headless security-engine service: there is no web interface. Read the welcome notes with: sudo cat /root/crowdsec-info.txt. Confirm the engine and the bouncer are running with: systemctl status crowdsec and systemctl status crowdsec-firewall-bouncer. Check the agent can reach the Local API with: sudo cscli lapi status. The Local API is bound to loopback on port 8080 (health: curl http://127.0.0.1:8080/health ). Operate the engine with cscli: sudo cscli metrics, sudo cscli decisions list, sudo cscli collections list, sudo cscli bouncers list. Install more detection collections from the hub with: sudo cscli collections install crowdsecurity/<name> then sudo systemctl reload crowdsec. Point the log acquisition at your own sources by editing /etc/crowdsec/acquis.yaml. The Local API database and engine state live on a dedicated data disk mounted at /var/lib/crowdsec.
Resources
Vendor resources
Support
Vendor support
cloudimg provides 24/7 technical support for this product by email and live chat. Our engineers help with deployment, configuration, updates, performance tuning and troubleshooting; critical issues receive a one hour average response. Contact support@cloudimg.co.uk .
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.