Back to Integrations

CrowdSec Integration

Pipe the ipinsights.io blocklist into your local CrowdSec LAPI so every bouncer you have deployed picks it up automatically.

Overview

CrowdSec turns collaborative threat intelligence into local enforcement through its Local API (LAPI) and bouncers. Feeding the ipinsights.io list directly into the LAPI means every bouncer — firewall, NGINX, Cloudflare, Traefik, AWS WAF — automatically inherits the same blocking decisions, with no per-tool configuration.

The recommended approach is a small systemd timer that pulls https://ipinsights.io/downloads/blocklist.txt every hour and re-imports it into CrowdSec with a fixed decision origin tag — so the entries can be cleanly removed and replaced on each refresh.

Prerequisites

  • CrowdSec 1.5+ running locally with at least one bouncer attached
  • curl available on the host
  • Outbound HTTPS to https://ipinsights.io

Step 1 — Create the Sync Script

Create /usr/local/bin/ipinsights-crowdsec-sync.sh:

#!/usr/bin/env bash # ipinsights-crowdsec-sync.sh — refresh the IP Insights blocklist inside CrowdSec set -euo pipefail FEED_URL="https://ipinsights.io/downloads/blocklist.txt" ORIGIN="ipinsights" DURATION="6h" # decisions auto-expire if the next sync fails REASON="ipinsights-blocklist" TMP=$(mktemp) trap 'rm -f "$TMP"' EXIT # Fetch and sanity check curl -fsSL --max-time 30 "$FEED_URL" -o "$TMP" COUNT=$(grep -cE '^[0-9]+\.' "$TMP" || true) if [ "$COUNT" -lt 100 ]; then echo "ipinsights-sync: refusing to import — only $COUNT entries (likely a fetch error)" >&2 exit 1 fi # Drop any previous IP Insights decisions, then re-import the fresh list cscli decisions delete --origin "$ORIGIN" >/dev/null || true cscli decisions import \ -i "$TMP" \ --format values \ --origin "$ORIGIN" \ --reason "$REASON" \ --duration "$DURATION" \ --type ban logger -t ipinsights-sync "imported $COUNT decisions from $FEED_URL"
sudo install -m 0755 -o root -g root /tmp/ipinsights-crowdsec-sync.sh /usr/local/bin/ipinsights-crowdsec-sync.sh

Step 2 — Schedule the Sync

Install a systemd timer at /etc/systemd/system/ipinsights-sync.service:

[Unit] Description=Sync IP Insights blocklist into CrowdSec After=crowdsec.service Requires=crowdsec.service [Service] Type=oneshot ExecStart=/usr/local/bin/ipinsights-crowdsec-sync.sh

And the timer at /etc/systemd/system/ipinsights-sync.timer:

[Unit] Description=Hourly IP Insights blocklist sync [Timer] OnBootSec=2min OnUnitActiveSec=1h Unit=ipinsights-sync.service [Install] WantedBy=timers.target
sudo systemctl daemon-reload sudo systemctl enable --now ipinsights-sync.timer sudo systemctl start ipinsights-sync.service # trigger first sync now

Step 3 — Verify

cscli decisions list --origin ipinsights --limit 5 cscli metrics | grep -i decisions

Any bouncer attached to this LAPI will now apply the decisions on its next poll (usually within 10 seconds). To remove the feed: sudo cscli decisions delete --origin ipinsights and disable the timer.

Troubleshooting

  • Decisions not appearing — run journalctl -u ipinsights-sync.service for the most recent script output.
  • Bouncer not applying decisions — confirm the bouncer is attached to the same LAPI: cscli bouncers list.
  • Conflicting decisions — the --origin tag isolates IP Insights decisions from CrowdSec community / scenario-based ones; you can safely run both.

API Key: Not required for this integration — the public blocklist is open. Grab one from your profile page if you want to enrich CrowdSec scenarios via the lookup API as well.

Request Higher API Limit

Running a high-volume CrowdSec deployment? If the default rate limit isn't enough for your environment, submit a request below and we'll review it.

Maximum 5,000 characters.