Add CrowdSec Blocklist Import to Monitoring

[wolffcatskyy]

• Your additions are Free software
• Software you are submitting is not your own, unless you have a healthy ecosystem with a few contributors (which aren't your sock puppet accounts).
• Submit one item per pull request. This eases reviewing and speeds up inclusion.
• Format your submission as follows, where Demo and Clients are optional.
  Do not add a duplicate Source code link if it is the same as the main link.
  Keep the short description under 80 characters and use sentence case
  for it, even if the project's webpage or readme uses another capitalisation.
  Demo links should only be used for interactive demos, i.e. not video demonstrations.
  - [Name](http://homepage/) - Short description, under 250 characters, sentence case. ([Demo](http://url.to/demo), [Source Code](http://url.of/source/code), [Clients](https://url.to/list/of/related/clients-or-apps)) `License` `Language`
• Additions are inserted preserving alphabetical order.
• Additions are not already listed at awesome-selfhosted
• The Language tag is the main server-side requirement for the software. Don't include frameworks or specific dialects.
• You have searched the repository for any relevant issues or PRs, including closed ones.
• Any category you are creating has the minimum requirement of 3 items.
• Any software project you are adding to the list is actively maintained.
• The pull request title is informative, unlike "Update README.md".
  Suggested titles: "Add aaa to bbb" for adding software aaa to section bbb,
  "Remove aaa from bbb" for removing, "Fix license for aaa", etc.

---

• Why is it awesome?

CrowdSec Blocklist Import aggregates 36+ free threat intelligence feeds (AbuseIPDB, Spamhaus, Blocklist.de, Tor exit nodes, etc.) into CrowdSec, adding 120k+ IP decisions beyond CrowdSec's built-in community blocklist. It runs as a lightweight Docker container with configurable update intervals, supports custom blocklist URLs, and integrates directly with CrowdSec's Local API. For anyone running CrowdSec, it significantly increases threat coverage at zero cost.

• Have you used it? For how long?

Yes, I have been using it since January 2025 (over a year). It runs 24/7 on my homelab as a Docker container alongside CrowdSec.

• Is this in a personal or professional setup?

Personal homelab, but it protects production services exposed to the internet (reverse proxy, media servers, web applications).

• How many devices/users/services/... do you manage with it?

It feeds threat intelligence to CrowdSec which protects 15+ Docker containers behind a Caddy reverse proxy, a UniFi firewall, and several web-facing services across a multi-host network.

• Biggest pros/cons compared to other solutions?

Pros: Dead simple setup (single Docker container, one env file), aggregates many free feeds that would otherwise require individual integration, updates automatically, supports custom blocklist URLs for organization-specific feeds. Cons: Requires an existing CrowdSec installation (it's a companion tool, not standalone), and large blocklists can briefly spike CPU during import cycles.

• Any other comments about your use case, things you've found excellent, limitations you've encountered... ?

The project has an active community (180+ GitHub stars, external contributors submitting PRs for features like API key file support, Grafana dashboards, and additional blocklist sources). The maintainer is responsive and ships regular releases. It fills a real gap in CrowdSec's ecosystem by making threat feed aggregation turnkey.

[wolffcatskyy]

Friendly ping — let me know if anything needs changing. Thanks!

[Technetium1]

This needs to mature, give it a couple of months at least wolffcatskyy/crowdsec-blocklist-import@54bb19d