I've been running all three on production servers. Not in a lab — on real VPS and bare metal boxes handling actual traffic. Here's what I learned about when each one makes sense, and when it doesn't.
The short version
| fail2ban | CrowdSec | Defensia | |
|---|---|---|---|
| What it does | Bans IPs that match log patterns | Same + shares threat intel with community | Same + real-time dashboard + WAF + bot management |
| Install | apt install fail2ban |
Install agent + bouncer + enroll | `curl \ |
| Config | Edit regex jail files | Write YAML scenarios | Zero config (detects everything automatically) |
| Dashboard | None (CLI only) | Console (free limited, paid $29+/engine/mo) | Included (free tier, Pro at $9.90/server) |
| WAF | No | Partial (AppSec component) | Yes (15 OWASP types from access logs) |
| Bot management | No | No | Yes (70+ fingerprints) |
| Docker aware | No | Via acquisitions | Yes (auto-detects containers, reads their logs) |
| Kubernetes | No | Via Helm chart | Via Helm chart (DaemonSet) |
| Crowd intelligence | No | Yes (core feature) | Yes (shared threat DB + external feeds) |
| Price | Free | Free CLI / $29+/engine/mo console | Free (1 server) / $9.90/server/mo Pro |
| Language | Python | Go | Go |
| Age | 2004 (20+ years) | 2020 | 2026 |
Now the details.
fail2ban: the reliable veteran
fail2ban has been around since 2004. It does one thing: watch log files, match patterns, ban IPs via iptables. Twenty years later, it's still the default on most Linux servers.
What's good
It just works. {% raw %}apt install fail2ban and you have SSH protection out of the box. The default config catches failed SSH logins and bans after 5 failures. For many servers, that's enough.
Zero overhead. fail2ban uses almost no CPU or RAM. It's a Python script that tails log files. On a $5 VPS where every megabyte counts, this matters.
Battle-tested. Twenty years of production use. Every edge case has been hit, reported, and fixed. The regex patterns for SSH, Apache, Nginx, Postfix, Dovecot — they all work.
No network dependency. fail2ban works completely offline. No cloud, no API, no account, no telemetry. It reads local logs and writes local iptables rules. Period.
What's not good
Configuration is painful. Want to protect more than SSH? You need to write "jails" — regex patterns that match log lines. Here's what a jail looks like:
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
maxretry = 2
And the filter file:
[Definition]
failregex = ^<HOST> - .* "(GET|POST|HEAD).*HTTP.*" 404
This is fine for one pattern. But if you want to detect SQL injection, XSS, path traversal, RCE, env probing, config probing, scanner tools, and web shells — you're writing dozens of regex files and testing each one.
No visibility. fail2ban has no dashboard, no web UI, no charts, no timeline. Want to know how many attacks you got today? fail2ban-client status sshd gives you a count. That's it. Want to see trends over time, or which countries are attacking you, or which attack types are most common? You can't. Not without piping logs through ELK or Grafana yourself.
No WAF. fail2ban reads logs and matches patterns. It doesn't understand HTTP semantics, OWASP attack types, or bot fingerprints. It's a log parser with ban capabilities, not a security tool.
Single-server scope. A ban on Server A doesn't protect Server B. Each server is an island.
When to use fail2ban
- You have 1-2 servers and only need SSH protection
- You want zero network dependency
- You're comfortable writing and maintaining regex jails
- You don't need visibility into what's happening
CrowdSec: the community approach
CrowdSec launched in 2020 as a "modern fail2ban" with one key innovation: crowd intelligence. When your server detects an attacker, it shares the IP with the CrowdSec network. In return, you get a blocklist of IPs flagged by other users worldwide.
What's good
Crowd intelligence is powerful. This is CrowdSec's killer feature. If an IP attacks a server in Germany, your server in Singapore gets the warning before the attack reaches you. With enough participants, this creates a global early-warning network.
Better detection model. Instead of fail2ban's flat regex, CrowdSec uses YAML "scenarios" that can express behavior over time: "5 failed logins in 2 minutes" rather than just "line matches pattern." This reduces false positives.
Bouncer architecture. CrowdSec separates detection (the agent) from remediation (bouncers). You can detect on one server and enforce on another — useful for multi-server setups.
Active development. Go-based, well-maintained, growing community. The team ships regularly and the docs are solid.
What's not good
Complex setup. Install the agent, install a bouncer (separate binary), configure parsers, enroll in the console, configure scenarios. The docs are good, but the surface area is large. Here's a taste:
# Install agent
curl -s https://install.crowdsec.net | bash
# Install firewall bouncer
apt install crowdsec-firewall-bouncer-iptables
# Enroll in console
cscli console enroll <your-key>
# Install a collection for nginx
cscli collections install crowdsecurity/nginx
# Acquire the log file
echo "source: file\nfilenames:\n - /var/log/nginx/access.log\nlabels:\n type: nginx" > /etc/crowdsec/acquis.d/nginx.yaml
# Restart
systemctl restart crowdsec
Compare to fail2ban's apt install fail2ban or Defensia's single curl command. CrowdSec requires understanding agents, bouncers, parsers, scenarios, collections, and the console.
The console is expensive. The CLI is free. But the dashboard (CrowdSec Console) starts at $29/engine/month for the SaaS tier. Enterprise features like local synchronization start at $18,000/month. For a developer with 3 servers, that's $87/month just for the dashboard — compared to $0 for fail2ban or $29.70 for Defensia Pro.
AppSec (WAF) is an add-on. CrowdSec's WAF component exists but it's a separate module, not integrated into the core detection flow. It requires additional configuration and only covers specific scenarios.
Privacy trade-off. Crowd intelligence requires sharing your server's attack data with CrowdSec's cloud. The data is anonymized, but some organizations can't or won't share security telemetry with a third party.
When to use CrowdSec
- You manage 10+ servers and want proactive threat intel
- You're comfortable with complex multi-component setup
- Crowd blocklists are worth more to you than a dashboard
- You don't mind sharing attack data with a third party
- Budget allows $29+/engine/month for the console
Defensia: the dashboard-first approach
Full disclosure: I built Defensia. So take this section with that context. I'll try to be as honest about the limitations as I was with the other two.
What's good
Zero configuration. Install with one command and the agent auto-detects everything: SSH auth logs, Nginx/Apache access logs, Docker containers, vhosts, log paths. No jails to write, no scenarios to configure, no parsers to install.
curl -fsSL https://defensia.cloud/install.sh | sudo bash -s -- --token <YOUR_TOKEN>
Real-time dashboard included. Every event, ban, and metric shows up in a web dashboard immediately. Filter by server, attack type, country, IP. See trends over time. Export to CSV. No Grafana setup, no ELK stack. This is the #1 thing fail2ban and CrowdSec (free tier) don't give you.
Built-in WAF. The agent parses access logs and detects 15 OWASP attack types — SQL injection, XSS, SSRF, RCE, path traversal, env probing, config probing, web shells, scanner tools, and more. Each detection adds to a per-IP score that decays over time. High-score IPs get banned automatically.
Bot management. 70+ bot fingerprints with per-server policies: allow, log, or block. Blocked bots are rejected at the web server level (nginx/Apache config), so your app never sees the request.
Docker and Kubernetes native. Auto-detects Docker containers, reads their logs via bind mounts, and reports container inventory to the dashboard. Helm chart for K8s DaemonSet deployment.
What's not good
Smaller crowd network. Defensia shares threat data across all organizations through a shared threat intelligence database. When an IP is flagged by one customer, it gets a threat score — and IPs scoring above 70 are pushed to all agents via the sync feed, alongside external threat feeds (Spamhaus DROP, Feodo Tracker, CINS Army). Bans also propagate across all servers within the same organization. However, CrowdSec's crowd network is significantly larger (millions of users contributing), so their blocklist coverage is broader today.
Requires a cloud account. The agent connects to defensia.cloud for the dashboard and management. fail2ban works fully offline; Defensia doesn't. If you can't send data to a third-party cloud, Defensia isn't for you.
Younger project. fail2ban has 20 years of battle-testing. CrowdSec has 6 years and a funded team. Defensia launched in 2026. The agent is open source (MIT) and has been running on production servers for months, but the track record is shorter.
Smaller community. fail2ban has millions of installs. CrowdSec has a growing community with shared scenarios and collections. Defensia is a project with a growing user base but no community-contributed detection rules yet.
When to use Defensia
- You want visibility into what's attacking your servers without setting up monitoring infrastructure
- You need WAF protection from access logs without configuring rules
- You manage Docker hosts and want container-aware security
- You want something that works out of the box with zero configuration
- Budget: free for 1 server, $9.90/server for Pro
The real comparison: what matters to you?
"I just need SSH protection and nothing else"
Use fail2ban. It's free, it works, it's been doing this for 20 years. Don't overthink it.
"I manage 10+ servers and want proactive threat intel"
CrowdSec or Defensia. Both share threat data across users. CrowdSec has a much larger crowd network today. Defensia combines crowd intel with a dashboard, WAF, and external feeds (Spamhaus, Feodo, CINS) in one package.
"I want to see what's happening on my servers in real time"
Use Defensia. Neither fail2ban nor CrowdSec (free tier) gives you a dashboard. Defensia's entire value proposition is making server security visible without infrastructure overhead.
"I need WAF + SSH + bots in one tool"
Use Defensia. fail2ban doesn't do WAF. CrowdSec's WAF is a separate module. Defensia detects 15 OWASP attack types, manages 70+ bot fingerprints, and handles SSH brute force — all from one agent.
"I can't send data to any cloud"
Use fail2ban. It's the only one that works fully offline with zero network dependency.
Can I run more than one?
Yes. fail2ban + CrowdSec is a common combination (fail2ban for local bans, CrowdSec for crowd intelligence). Defensia + CrowdSec could also work (Defensia for dashboard + WAF, CrowdSec for crowd blocklists). There's no conflict as long as you don't have both trying to manage the same iptables chains.
Bottom line
There's no single "best" tool. fail2ban is the reliable baseline. CrowdSec has the largest crowd network. Defensia combines crowd intel, WAF, bot management, and a dashboard in one package.
Pick based on what you actually need, not what has the most features on paper.
Links:
- fail2ban: github.com/fail2ban/fail2ban
- CrowdSec: github.com/crowdsecurity/crowdsec
- Defensia: github.com/defensia/agent (MIT license)
If you want to see real attack data before choosing a tool, I wrote about analyzing 250,000 attacks on production servers.
Top comments (0)