The CrowdSec Hub is the open-source catalog of detection logic. Bastion ships a UI for it inside the Plesk panel, but the underlying machinery is cscli.
Hub layout
| Type | Purpose | Example |
|---|---|---|
collections | Bundles of parsers + scenarios | crowdsecurity/nginx |
parsers | Turn raw logs into structured events | crowdsecurity/nginx-logs |
scenarios | Bucket rules that emit decisions | crowdsecurity/http-bf-wordpress_bf |
postoverflows | Whitelist / mutate decisions | crowdsecurity/cdn-whitelist |
appsec-configs | WAF engine entrypoints | crowdsecurity/virtual-patching |
appsec-rules | Individual WAF rules and CVE patches | crowdsecurity/vpatch-CVE-2024-3400 |
Browse from the panel
Extension → Hub lists every item with installed/available status. Filter by type and search by name. Each row exposes a one-click Install that calls hub-install.sh:
# Behind the UI:
sudo cscli collections install crowdsecurity/nginx
sudo systemctl reload crowdsecRemoval goes through hub-remove.sh. Updates of the index (cscli hub update) run daily via the crowdsec-hubupdate.timer systemd unit, with an on-demand Update now button in the Settings panel.
CVE virtual-patches
AppSec rules tagged vpatch-* block exploitation attempts at L7 without waiting for a vendor patch. Active rules visible in the Hub include WordPress upload abuse, Symfony Profiler exposure, .git/config leak, Plesk panel brute-force, and 50+ CVE patches refreshed daily.
Recommended starter set
For a generic Plesk host, install:
crowdsecurity/nginx, base parsing + brute-force detection.crowdsecurity/base-http-scenarios, generic HTTP misbehavior.crowdsecurity/virtual-patching, CVE shield for popular apps.crowdsecurity/cdn-whitelist, postoverflow for Cloudflare/Akamai IPs.
Install each one from the Hub tab in two clicks.