CrowdSec, a self-hosted open-source IDS/IPS security solution that protects servers, services, containers, and applications from malicious traffic, has just rolled out version 1.7.
The headline feature is a new cscli setup command. Instead of requiring manual tweaks, it now auto-detects more services right out of the box. That includes Linux, BSD, and Windows, though for now, the auto-detection only runs during install time for DEB and RPM packages.
Users can also provide their own detection configs during setup, which is handy for custom log paths or non-standard services. But what’s even better, if you’re running things with Ansible or another config manager, the detection can be skipped altogether.
CrowdSec 1.7 also adds usage metrics for better visibility. Log processors now report how many lines are read and parsed per datasource, along with parser stats like parsed, unparsed, or whitelisted events. These numbers are sent to LAPI and can be viewed with cscli machines inspect. In later versions, the team plans to surface them in the console to help flag misconfigurations.
On the container side, CrowdSec’s Docker datasource now supports Swarm when deployed on a manager node. However, there’s a breaking change you should be aware of: starting with 1.7, running CrowdSec in Docker or Podman requires mounting a volume at “/var/lib/crowdsec/data/.” Without it, the container won’t start. Kubernetes users aren’t affected.
For web application firewalls, integration with the OWASP Core Rule Set has been tightened up, and work is ongoing to make those protections smoother. In addition, new expression helpers allow calculating the average and median time between events. This makes it possible to catch extremely slow brute-force attempts that traditional detection rules might miss.
Lastly, the old cscli dashboard command is gone. Anyone still relying on the Metabase dashboard is encouraged to migrate to CrowdSec’s online console at app.crowdsec.net.
For more information, see the changelog.
