How to Stop SSH Brute-Force Attacks on Dedicated Servers (CrowdSec Guide)

Why traditional log-parsers fail against modern brute-force traffic, and how to use CrowdSec’s open-source IPS engine to proactively shield your Linux infrastructure.

The moment you provision a brand-new dedicated server, automated botnets begin scanning your IP address. Within minutes, they will target Port 22, launching brute-force attacks to guess your SSH credentials. For server administrators, securing SSH is the most critical first step in a broader server hardening guide.

What is CrowdSec?

CrowdSec is an open-source, behavioral intrusion prevention system (IPS). Unlike older tools that only look at local log files, CrowdSec combines local behavioral detection with Community Threat Intelligence (CTI).

When a malicious IP attacks a server within the CrowdSec network, its behavior is analyzed. If flagged as a threat, that IP is shared globally. This means your server can block known attackers based on the shared intelligence of the crowd.

CrowdSec vs. Fail2Ban: Why Make the Switch?
Feature	Fail2Ban	CrowdSec
Architecture	Python-based local rule engine	Go-based distributed security engine
Intelligence	Local server logs only	Local + Global Community Threat Intelligence
Multi-Server	Difficult to sync	Built-in Centralized API for server clusters
Remediation	Primarily iptables	nftables, iptables, Cloudflare, Nginx, and more

Prerequisites & Server Preparation

Before installing CrowdSec, ensure your server is up to date and has the necessary baseline packages.

A Servers99 Dedicated Server (Ubuntu/Debian)
Root or sudo privileges
Basic command-line knowledge

Update your system packages and install required dependencies:

Bash

sudo apt update && sudo apt upgrade -y
sudo apt install curl gnupg ufw -y

Step 1: Install the CrowdSec Agent

Always verify installation scripts in production environments. The CrowdSec agent acts as the "brain," parsing your server logs to detect malicious behavior.

⚠️

Security Note: While using curl | bash is convenient, it is a best practice in production environments to inspect scripts before running them. Always ensure you are pulling from the official install.crowdsec.net domain.

Run the official installation script:

Bash

curl -s https://install.crowdsec.net | sudo bash
sudo apt update
sudo apt install crowdsec -y

Verify the core engine is running properly:

Bash

sudo systemctl status crowdsec

Step 2: Activate SSH Protection

Explicitly install the SSH parser; In most fresh installations, the SSH collection is not enabled by default and must be explicitly installed to provide SSH brute force protection.

Bash

sudo cscli collections install crowdsecurity/sshd

# Restart CrowdSec to ensure the parser state is fully refreshed

sudo systemctl restart crowdsec

Step 3: Whitelist Your Admin IP

Prevent locking yourself out of your own server; If you mistype a password, CrowdSec might flag your IP. Depending on your CrowdSec version, IP allowlisting can be done via the CLI or YAML configuration files

Method A: Modern CLI (CrowdSec v1.6+)

Bash

sudo cscli allowlists create my_allowlist --description "Admin PC IP"

sudo cscli allowlists add my_allowlist YOUR_LOCAL_IP_ADDRESS --comment "Admin PC"

Method B: YAML Configuration (Universal Fallback)

Place a new YAML file under /etc/crowdsec/parsers/s02-enrich/ (or the appropriate local config directory for your OS):

Bash

sudo nano /etc/crowdsec/parsers/s02-enrich/my_whitelist.yaml

Add the following configuration:

YAML

name: crowdsecurity/my_whitelist
description: "Whitelist for Admin IP"
whitelist:
  reason: "Admin PC"
  ip:
    - "YOUR_LOCAL_IP_ADDRESS"

Restart CrowdSec: sudo systemctl restart crowdsec

Step 4: Install the Firewall Bouncer

Enforce bans at the network level; CrowdSec detects the threats, but it needs a "Bouncer" to enforce the bans. Choose one of the following based on your firewall:

Option A: For nftables (Modern standard for Ubuntu/Debian)

Bash

sudo apt install crowdsec-firewall-bouncer-nftables -y

Option B: For iptables/UFW (Standard on legacy setups)

Bash

sudo apt install crowdsec-firewall-bouncer-iptables -y

Verify that your bouncer is registered and active:

Bash

sudo cscli bouncers list

Step 5: Monitoring Blocked Attackers & Verification

To ensure your setup is production-ready, use these commands to verify your server's defense status:.

1. View Active Bans (Decisions)

See exactly who is blocked, their origin country, and the ban duration..

Bash

sudo cscli decisions list

Expected Output:

Plaintext

+--------+----------+-------------------+----------------------+--------+---------+----+--------+--------------------+----------+
|   ID   |  Source  |    Scope:Value    |        Reason        | Action | Country | AS | Events |     expiration     | Alert ID |
+--------+----------+-------------------+----------------------+--------+---------+----+--------+--------------------+----------+
| 123456 | crowdsec |     Ip:1.2.3.4    | crowdsecurity/ssh-bf | ban    | US      |    |      6 | 3h59m59.123456789s |   42 |   |
+--------+----------+-------------------+----------------------+--------+---------+----+--------+--------------------+----------+

2. Check System Metrics

Verify that CrowdSec is actively reading your log files (look for parsed lines in the SSH logs).

Bash

sudo cscli metrics

Enterprise-Grade Security Hardening Tips

CrowdSec is powerful, but true dedicated server security requires a layered approach. We highly recommend these additional SSH hardening steps in your /etc/ssh/sshd_config file:

Disable Password Authentication: Rely strictly on SSH Keys. (PasswordAuthentication no)
Disable Root Login: Prevent attackers from brute-forcing the default superuser. (PermitRootLogin no)
Limit Authentication Attempts: Drop the connection after a few failed attempts. (MaxAuthTries 3)
Change the Default SSH Port: Moving away from Port 22 drastically reduces automated bot log noise.

Always run sudo systemctl restart ssh (on Ubuntu/Debian) after making configuration changes.

Common Errors & Troubleshooting

1. Error: Bouncer is not connecting or missing from cscli bouncers list

Fix: Ensure the bouncer service is running: sudo systemctl status crowdsec-firewall-bouncer. If it failed to start, check the API key in /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml matches an API key generated by cscli bouncers add.

2. Error: Decisions are not appearing (No bans happening)

Fix: Check cscli metrics. If parsed lines for sshd are zero, CrowdSec is not reading your auth logs properly. Ensure the crowdsecurity/sshd collection is installed and restart the agent.

3. To remove a ban on a specific IP:

sudo cscli decisions delete --ip 1.2.3.4

Build Your Custom Shield on Powerful Hardware

High-performance security tools like CrowdSec require underlying bare-metal infrastructure that refuses to bottleneck when malicious traffic spikes.

Servers99 dedicated servers are engineered to handle intense network pressure, providing enterprise-grade AMD EPYC™ and Intel® Xeon® hardware, massive 100Gbps unmetered uplinks, and standard 250Gbps built-in DDoS protection across more than 250 global locations.

Whether you are deploying intensive game nodes, managing complex database clusters, or configuring advanced kernel-level packet filters like XDP and eBPF, our bare-metal architecture gives you absolute root control over your entire network stack.

📚 Read Next: Security Related Guides & Tutorials

FAQ

Is CrowdSec better than Fail2Ban?

Yes, for modern infrastructure, CrowdSec is generally considered superior. While Fail2Ban relies heavily on a Python-based local rule engine and only blocks based on your server's local logs, CrowdSec uses a lightweight Go architecture and utilizes Global Community Threat Intelligence to block known hackers before they attack you.

Does CrowdSec block SSH attacks automatically?

Yes. Once the CrowdSec agent and a firewall bouncer are installed, and the SSH collection is active, it will automatically parse your authentication logs, detect brute-force behavior, and block the offending IP address at the firewall level.

Is CrowdSec free for dedicated servers?

Yes, the core CrowdSec engine, the Community Threat Intelligence blocklist, and the bouncers are completely free and open-source for server administrators to use on their dedicated servers and VPS instances.