Skip to Content
🚀 Wiredoor 1.2.0 now available - Ready to expose your private services? Get Started →
<- Back To Guides

How to Block Malicious IPs in Wiredoor Using CrowdSec Firewall Bouncer

dmesad's avatar
Daniel Mesa ·

If you’re using Wiredoor to expose private services securely, you might already have enabled CrowdSec inside your Docker setup to detect suspicious activity (like failed login attempts or abuse).

But detection is just the first step.

To actively block attackers, you can install the CrowdSec Firewall Bouncer on your host machine. This will allow decisions made by CrowdSec (inside Docker) to be applied directly at the firewall level of your system automatically banning bad IPs.

For a deeper look into Docker + CrowdSec integration, check out this official CrowdSec blog post.

What You’ll Get

By the end of this guide, your Wiredoor setup will:

  • Detect malicious behavior using CrowdSec (already included in the docker-setup)
  • Apply real-time bans at the host firewall level
  • Be protected automatically without manual IP blocking
  • Optionally monitor your CrowdSec using Grafana and Prometheus (already included in the docker-setup)

Configuration Steps

Follow these steps to connect the CrowdSec container with a firewall bouncer running on your host system.

Clone or Update the Wiredoor Docker Setup

First, download the official Wiredoor Docker setup, which includes pre-configured services like Wiredoor, CrowdSec, Grafana, and Prometheus:

git clone https://github.com/wiredoor/docker-setup wiredoor
cd wiredoor
cp .env.example .env

Edit the .env file to configure variables such as exposed ports, domain names, VPN_IP, or Wiredoor/Grafana credentials.

Start Wiredoor and CrowdSec Services

The provided docker-compose.yml includes:

  • Wiredoor for secure service exposure
  • CrowdSec for intrusion detection
  • Grafana and Prometheus for monitoring (optional)

Start the essential services:

docker compose up -d wiredoor crowdsec grafana prometheus
💡

You can remove or comment out services you don’t need directly in docker-compose.yml.

Grafana credentials (e.g., admin/admin) can be changed in the .env file.

Check CrowdSec Is Running

Verify that CrowdSec is collecting logs and working as expected:

docker compose exec crowdsec cscli metrics

You should see a summary of decisions, alerts, and active bouncers (we’ll set one up next).

At this point, CrowdSec is fully configured and actively monitoring logs from Wiredoor and NGINX inside Docker. It can detect malicious behaviors like port scans, brute-force attacks, or abuse from suspicious IPs.

But detection alone isn’t enough! We want to block those IPs automatically.

To do that, we’ll install and configure the CrowdSec Firewall Bouncer on your host machine. This bouncer connects to the CrowdSec API (exposed from the Docker container at 127.0.0.1:8080) and applies ban decisions directly at the system firewall level using iptables, nftables, or firewalld.

Install the CrowdSec Firewall Bouncer on the Host

Install the firewall bouncer directly on your host (not inside Docker):

# Add Crowdsec Official Repository to access the latest packages
curl -s https://install.crowdsec.net | sudo sh
 
# Install the iptables bouncer
sudo apt install crowdsec-firewall-bouncer-iptables
💡

If you use a different firewall backend like nftables or firewalld, install the matching bouncer package instead. Refer to the official docs for options.

Generate an API Key from Inside the CrowdSec Container

The firewall bouncer requires an API key to communicate with CrowdSec.

Generate it from the crowdsec container:

docker compose exec crowdsec cscli bouncers add firewall-bouncer

The output will look like this:

API key for 'firewall-bouncer':
***********************************
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
***********************************

You’ll use this key to authenticate the firewall bouncer with the CrowdSec API.

Configure the Bouncer on the Host

Edit the bouncer configuration file on your host:

sudo nano /etc/crowdsec/bouncers/cs-firewall-bouncer.yaml

Replace its contents with:

mode: iptables
api_url: http://127.0.0.1:8080
api_key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
iptables_chains:
  - INPUT
  - DOCKER-USER

This tells the bouncer to connect to the CrowdSec API running inside Docker, exposed to the host on port 8080.

Make sure port 8080 is indeed exposed in your docker-compose.yml file:

  crowdsec:
    ports:
      - "127.0.0.1:8080:8080"

Start and Enable the Bouncer Service

Start the service and enable it at boot:

sudo systemctl enable --now crowdsec-firewall-bouncer

Confirm that it’s running:

sudo systemctl status crowdsec-firewall-bouncer

Check that IPs are being blocked

Once CrowdSec detects suspicious traffic, the firewall bouncer will start blocking IPs.

You can see the active decisions from within the container:

docker compose exec crowdsec cscli decisions list

You can check if the decisions are being applied by ipset:

# See the lists
sudo ipset -L | grep crowdsec
# Show blocked IPs from the default blacklist
sudo ipset -L crowdsec-blacklists-1
# You can also check the iptables rules
sudo iptables -L -n

With this setup:

  • Wiredoor exposes services securely over WireGuard and NGINX.
  • CrowdSec monitors traffic, detects malicious IPs, and logs suspicious behavior.
  • The host firewall bouncer reacts automatically and blocks those IPs at the system level.

Bonus: Visualize CrowdSec metrics with Grafana

Your setup includes Prometheus and Grafana, so you can also monitor CrowdSec activity visually using the official dashboards from crowdsecurity repo:

You can expose your grafana using wiredoor:

  1. Log In to your Wiredoor Dashboard.
  2. Go to Nodes and view details for Wiredoor_Local node.
  3. Add an HTTP Service
  4. Expose your grafana container using the service name in your docker-compose.yml from your docker-setup:

Exposing Grafana container through Wiredoor_Local Node

  1. Visit your public domain to access Grafana and start visualizing CrowdSec metrics!

Wrapping Up

You’re now actively blocking malicious IPs at the firewall level, using a modern and open-source stack.

Wiredoor combined with CrowdSec gives you:

  • Secure remote access to internal services via WireGuard and NGINX.
  • Automated intrusion detection and response using log analysis.
  • Real-time visualization of security events with Prometheus and Grafana.
  • Scalable protection without relying on third-party cloud vendors.

If you found this guide helpful or have questions, feel free to open a GitHub issue or start a discussion in the community.

Stay safe, and happy hosting!