CrowdSec ships with free, community-maintained blocklists that can block roughly 15,000 known malicious IPs from ever reaching your services. If you upgrade to the paid premium tier, that number can jump past 100,000 IPs, depending on which premium blocklists you enable.
But here’s the thing: Nowadays, plenty of high-quality threat intel data is already available at no cost. Think about AbuseIPDB, Spamhaus, Shodan, and others. So, why isn’t there a native, free way to pull in that external threat intel and feed it into CrowdSec as malicious IP data?
Guess what. There is. And in this post, we will set it up.
It's called crowdsec-blocklist-import and provides the following enhancements:
| CrowdSec Free | CrowdSec Premium | CrowdSec Free + New Tool | |
|---|---|---|---|
| Community Intel (CAPI) | ~15k IPs | 25k-100k+ IPs* | ~15k IPs |
| Premium Blocklists | ❌ | ✅ | ✅ 120k+ IPs |
| Tor Exit Nodes | ❌ | ✅ | ✅ |
| Scanner Blocking | ❌ | ✅ | ✅ |
| All Your Bouncers | ✅ | ✅ | ✅ |
| Monthly Cost | $0 | $29+ | $0 |
Setting up Crowdsec-Blocklist-Import
First of all, you need to add a new machine account to your currently running CrowdSec instance to enable communication with CrowdSec's LAPI endpoints.
To do so, run the following command against your containerized CrowdSec instance:
docker exec -it crowdsec cscli machines add blocklist-importer -f crowdsec-blocklist-import --password secretpass Then, add the following service to your existing CrowdSec compose file and reflect your chosen secret in the envs:
crowdsec-blocklist-import:
image: ghcr.io/wolffcatskyy/crowdsec-blocklist-import:3.3.2
container_name: crowdsec-blocklist-import
restart: "no"
expose:
- 9102 # optional prometheus metrics http endpoint
depends_on:
- crowdsec
environment:
- CROWDSEC_LAPI_URL=http://crowdsec:8080
- CROWDSEC_MACHINE_ID=blocklist-importer
- CROWDSEC_MACHINE_PASSWORD=secretpass
- MODE=lapi
- DECISION_DURATION=24h
- TZ=Europe/Berlin
- TELEMETRY_ENABLED=false
- METRICS_ENABLED=falseMay be done via port mapping or other means, if you run CrowdSec on baremetal.
Finally, start the service for the first time:
docker compose up -f /path/to/crowdsec/compose -d crowdsec-blocklist-importFirst, the container will verify the connection to the CrowdSec LAPI endpoint. Then, it will proceed downloading threat intel data from various sources. Finally, the collected IP addresses are imported into CrowdSec as decisions.
The container will display the following stdout:
crowdsec-blocklist-import | [2026-02-03 15:10:48] [INFO] Auto-detected LAPI mode (http://crowdsec:8080)
crowdsec-blocklist-import | [2026-02-03 15:10:48] [INFO] Fetching blocklist sources (28 built-in)...
crowdsec-blocklist-import | [2026-02-03 15:10:53] [INFO] Sources: 24 successful, 4 unavailable, 0 disabled
crowdsec-blocklist-import | [2026-02-03 15:10:53] [INFO] --- Source Statistics ---
crowdsec-blocklist-import | [2026-02-03 15:10:53] [INFO] Source IPs
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] ------------------------------ --------
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] IPsum 18971
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Spamhaus DROP 1476
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Spamhaus EDROP 0
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Blocklist.de all 26992
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Blocklist.de SSH 6565
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Blocklist.de Apache 10136
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Blocklist.de mail 14444
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Firehol level1 4494
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Firehol level2 19284
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Feodo Tracker 5
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] SSL Blacklist 0
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] URLhaus 9854
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Emerging Threats 546
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Binary Defense 1271
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Bruteforce Blocker 546
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] DShield 20
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] CI Army 15000
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Darklist 1
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Talos 113
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Charles Haley 0
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Botvrij 4
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] myip.ms 0
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] GreenSnow 4317
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] StopForumSpam 53
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Tor exit nodes 1337
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Tor (dan.me.uk) 2364
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Shodan scanners 43
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Censys 4
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] ------------------------------ --------
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] TOTAL (before dedup) 137840
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] ------------------------
crowdsec-blocklist-import | [2026-02-03 15:10:54] [INFO] Combining and deduplicating...
crowdsec-blocklist-import | [2026-02-03 15:10:56] [INFO] Checking existing CrowdSec decisions via LAPI...
crowdsec-blocklist-import | [2026-02-03 15:10:56] [INFO] Importing 56140 new IPs via LAPI...
crowdsec-blocklist-import | [2026-02-03 15:11:05] [INFO] Import complete: 56140 IPs added (total coverage: 56140 IPs)Now, your CrowdSec instance runs in an enhanced mode and blocks +56K additional IP addresses.
Setting up Regular Updates
The crowdsec-blocklist-import container is meant to be run once in a while to fetch the latest threat intel data and update your block lists.
As default, newly added decisions endure for 24h. If you have not adjusted this value via the environment variable DECISION_DURATION, it makes sense to run the container once a day.
For example, via a cronjob:
0 0 * * * docker compose -f /path/to/crowdsec/compose/docker-compose.yml up --abort-on-container-exit crowdsec-blocklist-importcrowdsec-blocklist-import container every midnight.Excluding Threat Intel Data
In case you are not interested in specific threat intel data, you may exclude them from being imported into your CrowdSec instance.
This can be done via the environment variable ENABLE_<SOURCE>. The default value is set to true for each currently available threat intel source. So just disable those you do not want by defining false.
Here an example:
crowdsec-blocklist-import:
image: ghcr.io/wolffcatskyy/crowdsec-blocklist-import:2.1.0
container_name: crowdsec-blocklist-import
restart: "no"
depends_on:
- crowdsec
environment:
- CROWDSEC_LAPI_URL=http://crowdsec:8080
- CROWDSEC_MACHINE_ID=blocklist-importer
- CROWDSEC_MACHINE_PASSWORD=secretpass
- MODE=lapi
- DECISION_DURATION=24h
- TZ=Europe/Berlin
- TELEMETRY_ENABLED=false
# disable specific threat intel sources
- ENABLE_VXVAULT=false
- ENABLE_TOR_EXIT_NODES=falseValidating Results
After enhancing CrowdSec, you can verify the newly added decisions via:
# Count imported decisions
docker exec crowdsec cscli decisions list | grep external_blocklist | wc -l
# List recent decisions
docker exec crowdsec cscli decisions list -l 20
# Remove all imported decisions (if needed)
docker exec crowdsec cscli decisions delete --all --reason external_blocklistforward chain to apply IP bans. So in case it's a gateway server like a reverse proxy, crowdsec bouncer basically prevents your server to connect to banned IPs as well.This may brick connections, that typically should work. For example a Gitea container trying to reach out to GitHub IP ranges.
See https://github.com/wolffcatskyy/crowdsec-blocklist-import/issues/38
Cheers!

May check out my other blog posts regarding CrowdSec:




Discussion