Windows OS Hub
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows 10
    • Windows Server 2025
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
    • Proxmox
  • PowerShell
  • Linux

 Windows OS Hub / Windows Server 2025 / How to Install and Configure CrowdSec to Secure Windows Servers

July 3, 2026

How to Install and Configure CrowdSec to Secure Windows Servers

CrowdSec is an open-source security engine written in Go. It is often referred to as a modern alternative to Fail2Ban. CrowdSec can analyze server logs, running services, and web applications to detect suspicious activity, such as password brute-forcing and port scanning. It can automatically block suspicious IP addresses in the firewall. Although CrowdSec was originally developed for a Linux environment, it is now available for Windows. Out of the box, CrowdSec Security Engine for Windows can detect and block brute-force attacks via SMB and RDP. With additional configuration, it can be used to block network port scanning and attacks against SQL Server, Exchange, and IIS web apps.

In this article, we will look at a basic step-by-step CrowdSec deployment scenario on a Windows Server 2025 standalone host, where all components (log collector, API server, and firewall bouncer) are run on a single local machine. Then, we will demonstrate how to use CrowdSec to detect and protect against RDP password brute force attacks.

Contents:
  • How to Install CrowdSec Security Engine on Windows
  • Using CrowdSec to Detect and Block Brute Force Attack Attempts on Windows

How to Install CrowdSec Security Engine on Windows

These are the prerequisites for installing CrowdSec on Windows:

  • Install .NET 6.0 Desktop Runtime: winget install Microsoft.DotNet.DesktopRuntime.6 
    In this post, we will use the WinGet package manager to install additional software on Windows. If WinGet is not installed on a machine, the specified packages can be downloaded manually from the Microsoft website or the CrowdSec GitHub repository.
  • TCP port 8080 is the default port used by the CrowdSec Local API (LAPI). Make sure this port is not being used by other services: Get-Process -Id (Get-NetTCPConnection -LocalPort 8080).OwningProcess
  • If you want CrowdSec to block IP addresses from which brute-force attempts against accounts are detected, including RDP logons, you need to enable Windows logon audit policy, which is disabled by default. Open the secpol.msc and navigate to Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff. Open the Audit Logon policy and check the Failure option. Enable failed logon audit in Windows security policy Now, if a remote user fails to authenticate on a machine, a corresponding event will be added to the Security log in Event Viewer. event id 4625: an account failed to logon
  • The localhost address is used by default in the CrowdSec configuration file, which can resolve to the IPv6 address [::1] in Windows (this is because, by default, IPv6 has a higher priority than IPv4). This can cause problems when interacting with local LAPI, CLI components, and bouncers. Therefore, you may need to replace “localhost” with 127.0.0.1 in the YAML configuration files.

You can now install the CrowdSec Security Engine, which includes the agent/log parser and the server-side Local API with a database):

winget install -e --id CrowdSecurity.CrowdSec

winget install CrowdSecurity.CrowdSec

You can download the CrowdSec MSI installer manually here https://github.com/crowdsecurity/crowdsec/releases

Next, install the crowdsec-firewall-bouncer component (https://github.com/crowdsecurity/cs-windows-firewall-bouncer/releases).

CrowdSec itself only detects attacks but does not block them. The Windows Firewall Bouncer is used to automatically block attackers’ addresses. It will retrieve IP addresses to block from the local CrowdSec API and then add them to the Windows Firewall rules.

winget install -e --id CrowdSecurity.CrowdSecWindowsFirewallBouncer

Instal CrowdSec Windows FirewallBouncer

After installation, check and start two services:

Get-Service Crowdsec, cs-windows-firewall-bouncer| Start-service -verbose

Restart the PowerShell console and check that firewall-bouncer has been added and registered successfully in the list of CrowdSec bouncers.

cscli bouncers list

cscli bouncers list When installing CrowdSec on Windows, it checks the installed services and enables the corresponding software bundles (collections) for them. In CrowdSec, a collection is a set of scenarios for securing and protecting a specific service. It includes parsers and attack detection scripts that contain detection logic.

List installed collections:

cscli collections list

cscli collections list

The list displays the name of each collection, its status, and the location of its YAML configuration file. The crowdsecurity/windows collection, for example, contains a basic IDS analysis package for Windows. This collection can also be used to detect and block brute-force attacks via RDP and SMB.

If this collection is missing, install it:

cscli collections install crowdsecurity/windows

Then, list the installed attack detection scenarios:

cscli scenarios list

Verify that the crowdsecurity/windows-bf password brute force detection scenario is present and enabled in the lists. If you need to install this scenario, run the following command:

cscli scenarios install crowdsecurity/windows-bf

crowdsecurity-windows brute force detection scenario

You need to restart the agent service after adding or removing collections/scenarios or changing CrowdSec settings via configuration files:

Restart-Service crowdsec

Use the following command to check the current status of the CrowdSec agent:

cscli metrics

Using CrowdSec to Detect and Block Brute Force Attack Attempts on Windows

With the default installation of the CrowdSec engine on Windows, password brute-force detection scenarios are already active and rely on audit events in the Security log. Check the config file C:\ProgramData\CrowdSec\config\acquis.yaml to see the current detection settings.

CrowdSec RDP bruteforce detection settings in acquis.yaml

As you can see here, the CrowdSec rule is active. It monitors the Event Viewer event log for authentication error events (4625 and 4623).

The link provides an example of how to use built-in tools and a PowerShell script to protect an RDP host against brute-force attacks.

Try to connect to this host via RDP several times, entering the wrong account credentials each time. The IP address of the remote computer will be blocked in the firewall after several failed authentication attempts.

List the anomalies detected and the decisions made based on log parsing (active bans):

cscli decisions list

In this example, the client IP address was blocked for 4 hours, based on the attack patterns defined in the crowdsecurity/windows-bf scenario.

cscli decisions list - list crowdsec detected threats

The ban history can be displayed with the command:

cscli alerts list

The CrowdSec Windows Firewall Bouncer service creates a firewall rule called crowdsec-blocklistID that blocks access for the client IP address from which an attack is suspected.

crowdsec-blocklistID rule in Windows Firewall

The IP address of an attacker will be automatically removed from the firewall blocklist rule after the ban time expires (4 hours by default). Or you can unblock the specific IP address manually.

cscli decisions delete --ip 192.168.123.4

To reset all active bans:

cscli decisions delete --all

To block a specific IP address in CrowdSec, use the following command:

cscli decisions add --ip 192.168.123.4 --reason "manually BAN IP"

cscli decisions add or remove IP from CrowdSec blacklist

To view the CrowdSec logs in real time, run the following PowerShell command:

Get-Content C:\ProgramData\CrowdSec\log\crowdsec.log -Wait -Tail 30

crowdsec.log

The scenario file is where the settings for detecting brute force attempts and the trigger conditions (number of unsuccessful logon attempts) are configured.

The settings for detecting brute force attempts and the trigger conditions (number of unsuccessful logon attempts) are configured in the scenario file. In this case, it is C:\ProgramData\CrowdSec\config\scenarios\windows-bf.yaml

Here, you can change some detection settings. For example:

  • The number of failed login attempts that activate a security scenario is exceeded: capacity: 5
  • Set the number of seconds it takes for unsuccessful attempts to reset (forgotten): leakspeed: 10s

windows-bf.yaml - brute force detection scenario

The time for which an IP address should be blacklisted in the firewall is specified in the file C:\ProgramData\CrowdSec\config\profiles.yaml:

Duration: 4h
After making changes to the configuration files, remember to restart the Crowdsec service.

To whitelist specific IP addresses or networks that will never be blocked by CrowdSec rules, create a whitelists.yaml file and add the following configuration to it:

notepad "C:\ProgramData\CrowdSec\config\parsers\s02-enrich\whitelists.yaml"

name: crowdsecurity/whitelists
description: "Whitelist my office IPs"
whitelist:
reason: "CORP trusted IP addresses"
ip:
- "192.168.123.1"      # specific IP adress
cidr:
- "192.168.15.0/24"  # network

Create a whitelist of trusted IP addresses and networks for Crowdsec

Restart the service:

Restart-Service crowdsec

Check that the whitelists module is enabled:

cscli parsers list

cscli parsers list - check if whitelists module is enabled

With the crowdsecurity/geoip-enrich parser, you can block or allow access to a protected host only from specific countries or locations (free registration and a MaxMind GeoIP database key are required). 

You can configure CrowdSec to send notifications about rule triggers via email, Slack, Splunk, or HTTP (can be used to send notifications to a messenger; for example, you can send a message to Telegram via HTTP API). To achieve this, enable the necessary notification methods in the C:\ProgramData\CrowdSec\config\profiles.yaml file and configure the connection parameters for the services in their respective YAML files located in the directory C:\ProgramData\CrowdSec\config\notification.

configure CrowdSec notification +

In addition to brute-force detection scenarios, the default crowdsecurity/windows collection includes the crowdsecurity/iptables-scan-multi_ports scenario that can detect and prevent host port scans (requires enabling Windows Firewall text logs, which will be used to analyze network activity).

The crowdsecurity/iis-logs and crowdsecurity/http-logs collections can be used to analyze IIS web server logs and block suspicious activity. 

Previously, we demonstrated how to use IPBan solution to protect the IIS web server in Windows against DDoS and brute-force attacks.

The community edition of the CrowdSec engine offers free access to the CrowdSec Cloud Console, which is a public web interface. In order to use it, you must register on the https://app.crowdsec.net/ website. Then, you can connect your agent to receive global statistics, use global block lists, and manage blocking through the web interface.

It can be implemented as a simple IPS/IDS solution for a single Windows host or a group of servers, with centralized log processing and blacklist management across multiple machines.

0 comment
0
Facebook Twitter Google + Pinterest
Questions and AnswersWindows 11Windows Server 2025
previous post
Manage Microsoft Store Apps with Store CLI in Windows 11 from Terminal

Related Reading

How to Move (Migrate) Windows Shares to a...

February 26, 2026

Find a Process Causing High Disk Usage on...

July 16, 2025

SMB over QUIC: Mount File Share over Internet...

December 24, 2025

Automate Software and Settings Deployment with WinGet Configure...

November 20, 2025

Updating UEFI Secure Boot Certificates on Windows Devices...

April 27, 2026

Windows: Create (Install) a Service Manually

December 17, 2025

Proxmox: Share a Host Directory with VMs via...

August 21, 2025

Managing Per-User Services in Windows

February 14, 2026

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Manage Microsoft Store Apps with Store CLI in Windows 11 from Terminal

    July 2, 2026
  • Windows Sandbox on Windows 11: Enable, Configure, and Use

    June 10, 2026
  • How to Monitor Windows Machines with Zabbix

    May 26, 2026
  • Fixing Duplicate Security Identifier (SID) Issues in Windows

    May 25, 2026
  • Monitor a Folder for File Changes Using PowerShell and FileSystemWatcher

    May 15, 2026
  • Protect Windows Server from DDoS and Brute-Force Attacks with IPBan

    May 12, 2026
  • How to Force Uninstall ANY Stubborn Program in Windows

    May 7, 2026
  • How to Safely Disable IPv6 on Windows

    April 30, 2026
  • Updating UEFI Secure Boot Certificates on Windows Devices Explained

    April 20, 2026
  • Security Warnings When Opening RDP Files in Windows 11

    April 17, 2026

Follow us

  • Facebook
  • Twitter
  • Youtube
  • Telegram
Popular Posts
  • Converting Windows 10 to Enterprise LTSC Without Losing Data
  • How to Remove ‘Some Settings are Managed by Your Organization’ on Windows 11 or 10
  • Remove the Max Path Length Limit (260-Characters) on Windows
  • Installing Windows without USB/DVD or Other External Drives
  • How to Pause (Delay) Update Installation on Windows 11 and 10
  • How to Manually Install Any Device Driver on a Windows Computer
  • Restoring a Missing Windows Update Service in Windows 11 (10)
Footer Logo

@2014 - 2026 - Windows OS Hub. All about operating systems for sysadmins


Back To Top