Controls
Plesk CrowdSec extension features for hosters.
The extension works like a CrowdSec plugin for Plesk operators, scoped around the tasks a hosting team repeats: connect LAPI, choose where decisions apply, review events, and keep exceptions narrow.
- 8
- operator controls
- 3
- captcha providers
- 1-click
- Plesk install
policy surface
Every feature maps to an operator decision.
- LAPI
- connected
- AppSec
- active
- Overrides
- expiring
Signal
CrowdSec LAPI
Community decisions plus local scenarios.
Enforcement
ban / captcha / throttle
Action is visible before it reaches support.
Override
domain + source + reason
False positives stay narrow and auditable.
01
Connect LAPI
Validate endpoint, key, and decision sync before enforcement.
02
Choose scope
Apply server defaults, then keep customer exceptions domain-specific.
03
Review evidence
Read source, ASN, target, scenario, decision, expiry, and note.
04
Expire exceptions
Use time-bound allow rules instead of permanent server bypasses.
Metrics
Operate the engine, not the daemon.
Read what CrowdSec sees right now: decisions live, scenarios firing, blocklists in sync.
No SSH, no journalctl, the operator surface is the panel itself.
Bastion Security · Metrics Source: cscli metrics · cached 60s
- Decisions 24h
- 1 818
- Bouncers
- 4 / 4
- LAPI req/min
- 142
- Hub items
- 37
active bans
all healthy
p95 38 ms
installed
Top scenarios (24h)
5 of 11 · 711 hits total
Hub
CrowdSec Hub in your panel.
Browse, install, and version scenarios, parsers, and collections without touching the host.
Updates stay audit-friendly: who added what, when, and against which engine.
Bastion Security · Hub 37 / 312 installed · last sync 4 min ago
Catalog · Collections
48 itemsTargets
Who is targeted, not just who attacks.
Pivot decisions by hostname, subscription, or owner, the side of the request that pays.
Tells support which customer is impacted before the ticket reaches them.
Bastion Security · Targets Source: cscli alerts + maillog · last 24h · cached 5 min
Most attacked domains (24h)
12 hosts · 1 065 events
CTI
Local intel on every flagged IP.
Source ASN, country, scenarios triggered, and community reputation surface inline with the decision.
Evidence stays next to the action, so allow-listing is a judgement call, not a guess.
Bastion Security · CTI Lookup
203.0.113.42
IN · BHARTI AIRTEL · AS135629
Activity
- CrowdSec alerts
- 14
- CrowdSec events
- 287
- Mail log hits
- 42
- First seen
- 2026-05-12 14:08
- Last seen
- 2026-05-20 09:41
- Active decisions
- 2 (ban, captcha)
Targeted domains
- wp.example.com
- mail.example.com
- admin.example.com
Scenarios (3)
- crowdsecurity/http-bf-wordpress_bf_xmlrpc
- crowdsecurity/postfix-spam
- crowdsecurity/http-probing
Feature set
Small surface area, specific security jobs.
- CrowdSec decisions in Plesk
- Read LAPI decisions in the extension and apply blocks without asking every technician to SSH into the node.
- AppSec L7 enforcement
- Apply AppSec scenarios for scanner paths, exploit probes, and noisy HTTP clients before they tie up web workers.
- CTI lookup with ASN + geo
- Inspect any flagged IP with reputation, ASN, country and behaviour signals pulled from CrowdSec Threat Intelligence.
- Live attack map
- Real-time globe of inbound arcs sourced from local events, useful to watch a scan unfold and to brief stakeholders.
- CrowdSec Hub manager
- Install, remove and update collections, parsers, scenarios and AppSec rules directly from Plesk, no shell required.
- Captcha branding and providers
- Choose between hCaptcha, reCAPTCHA or Cloudflare Turnstile, then preview a custom logo and palette before deployment.
- Per-domain allow lists
- Resolve false positives with narrow exceptions: source, domain, and reason stay together in the panel.
- Auto-recompile on nginx upgrade
- APT hooks recompile the auth_request module against the new nginx ABI and roll back automatically if the build fails.