{"id":11363,"date":"2026-07-06T09:01:06","date_gmt":"2026-07-06T09:01:06","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/a-comprehensive-guide-to-installing-and-using-crowdsec-on-windows-for-effective-threat-blocking\/"},"modified":"2026-07-06T09:01:06","modified_gmt":"2026-07-06T09:01:06","slug":"a-comprehensive-guide-to-installing-and-using-crowdsec-on-windows-for-effective-threat-blocking","status":"publish","type":"post","link":"http:\/\/cheapwindowsvps.com\/blog\/a-comprehensive-guide-to-installing-and-using-crowdsec-on-windows-for-effective-threat-blocking\/","title":{"rendered":"A Comprehensive Guide to Installing and Using CrowdSec on Windows for Effective Threat Blocking"},"content":{"rendered":"<p>CrowdSec is an open-source security engine designed to analyze server logs and detect suspicious activity such as password brute-forcing and port scanning. Originally developed for Linux systems, it is now available for Windows, providing effective protection against threats like RDP and SMB brute-force attacks.<\/p>\n<h3>Installing CrowdSec Security Engine on Windows<\/h3>\n<p>To set up CrowdSec on Windows, follow these prerequisites:<\/p>\n<ol>\n<li>\n<p><strong>Install .NET 6.0 Desktop Runtime<\/strong>: Utilize the WinGet package manager for the installation:<\/p>\n<pre><code class=\"language-bash\">winget install Microsoft.DotNet.DesktopRuntime.6<\/code><\/pre>\n<\/li>\n<li>\n<p><strong>Ensure TCP port 8080 is free<\/strong>: Verify that this port is not used by other applications.<\/p>\n<\/li>\n<li>\n<p><strong>Enable Windows Logon Audit Policy<\/strong>: Open <code>secpol.msc<\/code>, go to Advanced Audit Policy Configuration -&gt; Audit Policies -&gt; Logon\/Logoff. Check the <strong>Audit Logon<\/strong> policy for <strong>Failure<\/strong>.<\/p>\n<\/li>\n<li>\n<p><strong>Configuration file adjustments<\/strong>: Modify the default configuration to use <code>127.0.0.1<\/code> instead of <code>localhost<\/code> to prevent IPv6 issues during local API interactions.<\/p>\n<\/li>\n<\/ol>\n<p>Next, you can install CrowdSec:<\/p>\n<pre><code class=\"language-bash\">winget install -e --id CrowdSecurity.CrowdSec<\/code><\/pre>\n<p>Then install the <strong>crowdsec-firewall-bouncer<\/strong> to manage automatic blocking:<\/p>\n<pre><code class=\"language-bash\">winget install -e --id CrowdSecurity.CrowdSecWindowsFirewallBouncer<\/code><\/pre>\n<p>After installations, start the services:<\/p>\n<pre><code class=\"language-bash\">Get-Service Crowdsec, cs-windows-firewall-bouncer | Start-Service -Verbose<\/code><\/pre>\n<h3>Configuring CrowdSec<\/h3>\n<p>Check that the firewall bouncer is registered:<\/p>\n<pre><code class=\"language-bash\">cscli bouncers list<\/code><\/pre>\n<p>Next, ensure the Windows collection is installed, which includes valuable scenarios for defending against attacks:<\/p>\n<pre><code class=\"language-bash\">cscli collections install crowdsecurity\/windowscscli scenarios install crowdsecurity\/windows-bf<\/code><\/pre>\n<h3>Using CrowdSec for Attack Prevention<\/h3>\n<p>Once installed, CrowdSec will automatically monitor defined security logs for failed log-in events. You can simulate failed login attempts to observe how the system reacts:<\/p>\n<pre><code class=\"language-bash\">cscli decisions list<\/code><\/pre>\n<p>To check alerts or list all blocked IP addresses:<\/p>\n<pre><code class=\"language-bash\">cscli alerts list<\/code><\/pre>\n<p>To manually manage IP addresses, you can add or remove entries from the blocklist:<\/p>\n<pre><code class=\"language-bash\">cscli decisions delete --ip 192.168.123.4cscli decisions add --ip 192.168.123.4 --reason &quot;manually BAN IP&quot;<\/code><\/pre>\n<p>For real-time logging updates, use PowerShell:<\/p>\n<pre><code class=\"language-bash\">Get-Content C:ProgramDataCrowdSeclogcrowdsec.log -Wait -Tail 30<\/code><\/pre>\n<h3>Customizing Detection Settings<\/h3>\n<p>Adjust the detection threshold and conditions by editing the scenario file:<\/p>\n<ol>\n<li>\n<p><strong>Modify brute force detection thresholds<\/strong> in <code>C:ProgramDataCrowdSecconfigscenarioswindows-bf.yaml<\/code>:<\/p>\n<pre><code class=\"language-yaml\">capacity: 5leakspeed: 10s<\/code><\/pre>\n<\/li>\n<li>\n<p><strong>Specify IP blacklisting duration<\/strong> in <code>C:ProgramDataCrowdSecconfigprofiles.yaml<\/code>:<\/p>\n<pre><code class=\"language-yaml\">Duration: 4h<\/code><\/pre>\n<\/li>\n<\/ol>\n<h3>Whitelisting Trusted IPs<\/h3>\n<p>To exempt certain IP addresses from being blocked by CrowdSec, create a <code>whitelists.yaml<\/code> file and add the relevant configurations:<\/p>\n<pre><code class=\"language-yaml\">name: crowdsecurity\/whitelistsdescription: &quot;Whitelist my office IPs&quot;whitelist:  reason: &quot;CORP trusted IP addresses&quot;  ip:  - &quot;192.168.123.1&quot;  cidr:  - &quot;192.168.15.0\/24&quot;<\/code><\/pre>\n<h3>Conclusion<\/h3>\n<p>CrowdSec&#8217;s capabilities extend beyond brute force detection, offering features to protect against port scans and manage web server logs. It also provides integration with various notification methods like email and Slack for alerting purposes. For advanced network protection, you can register for the CrowdSec Cloud Console to gain insights and manage global block lists effectively.<\/p>\n<p>For further details, refer to the official CrowdSec documentation at <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/app.crowdsec.net\/\">app.crowdsec.net<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CrowdSec is an open-source security engine designed to analyze server logs and detect suspicious activity such as password brute-forcing and port scanning. Originally developed for Linux systems, it\u2026<\/p>\n","protected":false},"author":0,"featured_media":11364,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[99,121],"tags":[],"class_list":["post-11363","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-windows-11","category-windows-server-2025"],"_links":{"self":[{"href":"http:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/11363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=11363"}],"version-history":[{"count":0,"href":"http:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/11363\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/11364"}],"wp:attachment":[{"href":"http:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=11363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=11363"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=11363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}