CrowdSec

CrowdSec analyzes your server logs, detects attack patterns, and shares threat intelligence with the community. Basically fail2ban on steroids with a global blocklist that everyone contributes to. MIT license, Go. It reads your logs (Nginx, SSH, WordPress, anything), detects attack patterns using community-written scenarios, and takes action: blocking IPs via your firewall, Cloudflare, AWS Security Groups, or a dozen other bouncers. The crowd-sourced threat intelligence means an IP that attacks someone else gets flagged before it hits you.

Free tier: the Security Engine (detection + local decisions) is fully free. The community blocklist (crowd-sourced IP reputation) is free. Self-host everything. Paid: CrowdSec Console premium starts around $20/mo per server for advanced dashboards, custom blocklists, and priority threat feeds. Enterprise pricing is custom.

Solo: install the free tier on your VPS, block 90% of automated attacks for $0. Small teams (2-10): free tier covers most needs. Pay $20/server/month when you want centralized dashboards across multiple servers. Large teams: enterprise plan for fleet management and custom threat feeds.

The catch: CrowdSec depends on accurate log parsing. If your app logs in a non-standard format, you'll write custom parsers. And the community blocklist, while useful, can produce false positives. A shared hosting IP getting flagged because of one bad tenant affects everyone on that IP.