Install, configure, operate, and debug CrowdSec — straight from your terminal, with Claude doing the heavy lifting.
This is an Agent Skill that turns Claude Code into a
hands-on CrowdSec operator. Ask it to stand up an engine, wire a bouncer, enable
the WAF, or figure out why nothing's getting blocked — it knows the cscli
commands, the config layout, the failure modes, and the safe way through each of
them across bare-metal/systemd, Docker, and Kubernetes/Helm.
| Area | Covered |
|---|---|
| Install | bare-metal/systemd · Docker · Kubernetes/Helm · Console enrollment |
| Bouncers | firewall (iptables/nftables/ipset) · nginx · traefik · caddy · apache · and more |
| WAF / AppSec | deploy · configure · troubleshoot the AppSec component |
| Hub | install collections/parsers/scenarios · update · debug |
| Configure | acquisition · profiles & ban durations · notifications · allowlists |
| Operate | health checks & smoke tests · upgrades & rollback · multi-server / remote LAPI / mTLS |
| Debug | logs not parsing · no alerts firing · bouncer not blocking · specific errors |
| Migrate | fail2ban → CrowdSec |
The skill loads automatically once installed — no flags, no setup. Just talk to Claude about CrowdSec.
From the CrowdSec marketplace (available now):
/plugin marketplace add crowdsecurity/crowdsec-skill
/plugin install crowdsec@crowdsecurity
Update later with:
/plugin marketplace update crowdsecurity
From the Anthropic community marketplace (once published):
/plugin install crowdsec@claude-community
On Claude.ai (web): download crowdsec-skill-vX.Y.Z.zip from the
latest release
and upload it in the web skill uploader. (Use that asset — its SKILL.md sits
at the archive root, which the uploader requires.)
Once installed, Claude picks the skill up whenever your prompt involves CrowdSec:
- "Install CrowdSec on this server and set up the nginx bouncer."
- "Deploy CrowdSec in my Kubernetes cluster and enroll it in the Console."
- "Enable the WAF / AppSec on my server."
- "CrowdSec doesn't detect attacks on my nginx server, why?"
- "There's a decision for this IP but it's not being blocked."
- "Migrate my fail2ban jails to CrowdSec."
This is an operational skill. It deploys, configures, and debugs CrowdSec — it does not author detection content. Writing a parser, scenario, or WAF (AppSec) rule is out of scope.
For authoring, head to the CrowdSec Hub and the detection-engineering docs.
crowdsec-skill/
├── .claude-plugin/ # marketplace + plugin manifests
├── crowdsec/
│ ├── SKILL.md # skill entry point (auto-loaded by Claude Code)
│ ├── references/ # ~25 topic-specific reference docs
│ │ ├── install/ # bare-metal · docker · kubernetes · console
│ │ ├── configure/ # acquisition · hub · profiles · notifications · allowlists · bouncers
│ │ ├── appsec/ # WAF overview · deploy · configure · troubleshoot
│ │ ├── operate/ # health-check · upgrades · multi-server
│ │ ├── debug/ # triage · parsing · no-alerts · bouncer-not-blocking · common-errors
│ │ └── migrate/ # from-fail2ban
│ └── scripts/
│ └── diagnose.sh # first-look triage; wraps `cscli support dump`
├── CHANGELOG.md
└── LICENSE
diagnose.sh is the go-to first move for any "it's broken" prompt — it collects
a support dump (auto-detecting systemd / Docker / Kubernetes) and a curated
report Claude can read.
Issues and PRs welcome. Improvements to the reference docs, new environment
coverage, and sharper debug playbooks are especially appreciated. Run
claude plugin validate . before opening a PR.
- CrowdSec: https://www.crowdsec.net
- Documentation: https://docs.crowdsec.net
- Hub: https://hub.crowdsec.net
- Console: https://app.crowdsec.net
MIT — see LICENSE.