Crowdsec installation sanity check

Brian Yuen

Recommended Posts


I have a few of my containers accessible to the public (plex, overseerr, bitwarden, *arrs, etc) and thought it was time to take security more seriously.  Cloudflare is my registrar and I'm forwarding subdomains to NGINX Proxy Manager on my unRaid (eg., I've been doing some reading about Crowdsec and thought I've give it a shot. The Crowdsec container installation from the unRaid App section went fairly smoothly, although documentation was sourced from multiple places due to my particular setup.  There's a ton of moving parts, but I BELIEVE I have it set up correctly, but wanted to run it past you fine folks to see if I did it correctly. Currently, I have it setup where Cloudflare is the 'bouncer'. I'm able to manually block my IP, so that seems to be working.  The one area that I'm still not quite sure about is the part where Crowdsec analyzes the logs on my machine.


  1. Since all external connections coming in run through NPM, is it safe to say that Crowdsec only needs to analyze NPM logs? Or does it need logs from the other containers as well?
  2. Can Crowdsec analyze symlinks for the logs?
    #Inside /mnt/user/appdata/shared/crowdsec
    ln -s /mnt/user/appdata/NginxProxyManager/logs/proxy-host-6_error.log proxy-host-6_error.log
  3. How can I check if Crowdsec is seeing my logs correctly?


Thank you! I'm still wrapping my head around Crowdsec and would definitely appreciate some guidance.

Link to comment
  • 2 months later...
  • 4 weeks later...

Personally, I'm not comfortable exposing my *arrs to the internet. I instead created a split tunnel vpn using wireguard into my LAN, and am able to access anything behind my firewall as though I am local. If you're concerned about internet security, this is a much safer option. Expose as little attack surface as possible. My router has one port(non-default) exposed for plex, and all the rest of my services are behind the firewall.

Link to comment
  • 2 weeks later...

Crowdsec can be a bit of a struggle to setup correctly


1. access logs are certainly the main source of data for crowdsec, you can also install "collections" for other applications and point those to the relevant logs. This is just additional though and crowdsec will always provide baseline security with just access logs.

2. I'm not sure but you can check yourself with...

3. login to your crowdsec container and run "cscli metrics", at the top under "acquisition metrics" you should see your logs with some statistics


Since you are using cloudflare as your bouncer, are you 100% only cloudflare can reach your endpoints?

Screenshot from 2023-06-16 20-49-10.png

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.