CrowdSec ships with free, community-maintained blocklists that can block roughly 15,000 known malicious IPs from ever reaching your services. If you upgrade to the paid premium tier, that number can jump past 100,000 IPs, depending on which premium blocklists you enable.

But here’s the thing: Nowadays, plenty of high-quality threat intel data is already available at no cost. Think about AbuseIPDB, Spamhaus, Shodan, and others. So, why isn’t there a native, free way to pull in that external threat intel and feed it into CrowdSec as malicious IP data?

Guess what. There is. And in this post, we will set it up.

It's called crowdsec-blocklist-import and provides the following enhancements:


CrowdSec FreeCrowdSec PremiumCrowdSec Free + New Tool
Community Intel (CAPI)~15k IPs25k-100k+ IPs*~15k IPs
Premium Blocklists 120k+ IPs
Tor Exit Nodes
Scanner Blocking
All Your Bouncers
Monthly Cost$0$29+$0
*Premium IPs vary based on enabled blocklists and scenarios; lists refresh every 5 minutes.
GitHub - wolffcatskyy/crowdsec-blocklist-import: 10-20x more blocks for your CrowdSec bouncers — 120k+ IPs from 36 free threat feeds
10-20x more blocks for your CrowdSec bouncers — 120k+ IPs from 36 free threat feeds - wolffcatskyy/crowdsec-blocklist-import

Setting up Crowdsec-Blocklist-Import

First of all, you need to add a new machine account to your currently running CrowdSec instance to enable communication with CrowdSec's LAPI endpoints.

To do so, run the following command against your containerized CrowdSec instance:

docker exec -it crowdsec cscli machines add blocklist-importer -f crowdsec-blocklist-import --password secretpass 
🚨
Please choose a strong secret passphrase and reflect it below!

Then, add the following service to your existing CrowdSec compose file and reflect your chosen secret in the envs:

  crowdsec-blocklist-import:
    image: ghcr.io/wolffcatskyy/crowdsec-blocklist-import:3.3.2
    container_name: crowdsec-blocklist-import
    restart: "no"
    expose:
      - 9102 # optional prometheus metrics http endpoint
    depends_on:
      - crowdsec
    environment:
      - CROWDSEC_LAPI_URL=http://crowdsec:8080
      - CROWDSEC_MACHINE_ID=blocklist-importer
      - CROWDSEC_MACHINE_PASSWORD=secretpass
      - MODE=lapi
      - DECISION_DURATION=24h
      - TZ=Europe/Berlin
      - TELEMETRY_ENABLED=false
      - METRICS_ENABLED=false
💡
You can also keep this new service separate from your existing CrowdSec compose file. If so, just make sure that the containers live in the same docker network. Our new tool must be able to access TCP/8080 of the CrowdSec container (LAPI).

May be done via port mapping or other means, if you run CrowdSec on baremetal.

Finally, start the service for the first time:

docker compose up -f /path/to/crowdsec/compose -d crowdsec-blocklist-import

First, the container will verify the connection to the CrowdSec LAPI endpoint. Then, it will proceed downloading threat intel data from various sources. Finally, the collected IP addresses are imported into CrowdSec as decisions.

The container will display the following stdout:

crowdsec-blocklist-import  | [2026-02-03 15:10:48] [INFO] Auto-detected LAPI mode (http://crowdsec:8080)
crowdsec-blocklist-import  | [2026-02-03 15:10:48] [INFO] Fetching blocklist sources (28 built-in)...
crowdsec-blocklist-import  | [2026-02-03 15:10:53] [INFO] Sources: 24 successful, 4 unavailable, 0 disabled
crowdsec-blocklist-import  | [2026-02-03 15:10:53] [INFO] --- Source Statistics ---
crowdsec-blocklist-import  | [2026-02-03 15:10:53] [INFO] Source                         IPs
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] ------------------------------ --------
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] IPsum                          18971
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Spamhaus DROP                  1476
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Spamhaus EDROP                 0
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Blocklist.de all               26992
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Blocklist.de SSH               6565
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Blocklist.de Apache            10136
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Blocklist.de mail              14444
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Firehol level1                 4494
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Firehol level2                 19284
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Feodo Tracker                  5
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] SSL Blacklist                  0
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] URLhaus                        9854
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Emerging Threats               546
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Binary Defense                 1271
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Bruteforce Blocker             546
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] DShield                        20
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] CI Army                        15000
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Darklist                       1
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Talos                          113
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Charles Haley                  0
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Botvrij                        4
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] myip.ms                        0
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] GreenSnow                      4317
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] StopForumSpam                  53
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Tor exit nodes                 1337
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Tor (dan.me.uk)                2364
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Shodan scanners                43
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Censys                         4
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] ------------------------------ --------
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] TOTAL (before dedup)           137840
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] ------------------------
crowdsec-blocklist-import  | [2026-02-03 15:10:54] [INFO] Combining and deduplicating...
crowdsec-blocklist-import  | [2026-02-03 15:10:56] [INFO] Checking existing CrowdSec decisions via LAPI...
crowdsec-blocklist-import  | [2026-02-03 15:10:56] [INFO] Importing 56140 new IPs via LAPI...
crowdsec-blocklist-import  | [2026-02-03 15:11:05] [INFO] Import complete: 56140 IPs added (total coverage: 56140 IPs)

Now, your CrowdSec instance runs in an enhanced mode and blocks +56K additional IP addresses.

Setting up Regular Updates

The crowdsec-blocklist-import container is meant to be run once in a while to fetch the latest threat intel data and update your block lists.

As default, newly added decisions endure for 24h. If you have not adjusted this value via the environment variable DECISION_DURATION, it makes sense to run the container once a day.

For example, via a cronjob:

0 0 * * * docker compose -f /path/to/crowdsec/compose/docker-compose.yml up --abort-on-container-exit crowdsec-blocklist-import
💡
This will run the crowdsec-blocklist-import container every midnight.

Excluding Threat Intel Data

In case you are not interested in specific threat intel data, you may exclude them from being imported into your CrowdSec instance.

This can be done via the environment variable ENABLE_<SOURCE>. The default value is set to true for each currently available threat intel source. So just disable those you do not want by defining false.

Here an example:

  crowdsec-blocklist-import:
    image: ghcr.io/wolffcatskyy/crowdsec-blocklist-import:2.1.0
    container_name: crowdsec-blocklist-import
    restart: "no"
    depends_on:
      - crowdsec
    environment:
      - CROWDSEC_LAPI_URL=http://crowdsec:8080
      - CROWDSEC_MACHINE_ID=blocklist-importer
      - CROWDSEC_MACHINE_PASSWORD=secretpass
      - MODE=lapi
      - DECISION_DURATION=24h
      - TZ=Europe/Berlin
      - TELEMETRY_ENABLED=false
      # disable specific threat intel sources
      - ENABLE_VXVAULT=false
      - ENABLE_TOR_EXIT_NODES=false

Validating Results

After enhancing CrowdSec, you can verify the newly added decisions via:

# Count imported decisions
docker exec crowdsec cscli decisions list | grep external_blocklist | wc -l

# List recent decisions
docker exec crowdsec cscli decisions list -l 20

# Remove all imported decisions (if needed)
docker exec crowdsec cscli decisions delete --all --reason external_blocklist
🚨
If you use an nftables crowdsec bouncer on your server, please be aware that it uses the forward chain to apply IP bans. So in case it's a gateway server like a reverse proxy, crowdsec bouncer basically prevents your server to connect to banned IPs as well.

This may brick connections, that typically should work. For example a Gitea container trying to reach out to GitHub IP ranges.

See https://github.com/wolffcatskyy/crowdsec-blocklist-import/issues/38

Cheers!

LRVT
Hey!If you enjoy my online content, please feel free to buy me a coffee or slice of pizza. Many thanks!
Sponsoring
I firmly believe in the importance of open access to knowledge and resources. That’s why all my blog content and online resources are freely available to everyone, fostering a space for learning and knowledge sharing without barriers. While this blog is not restricted by a paywall, I sincerely appreciate

May check out my other blog posts regarding CrowdSec:

Configuring CrowdSec with Traefik
Utilizing CrowdSec and its Cyber Threat Intelligence (CTI) to ban malicious threat actors probing our exposed HTTP services in a collaborative manner.
Grafana Dashboard for CrowdSec Cyber Threat Intelligence Insights
Building a Dockerized Grafana Dashboard for CrowdSec Cyber Threat Intelligence (TI) Insights using VictoriaMetrics