Component inclusion: crowdsec-blocklist-import (threat intelligence feed aggregator)

[wolffcatskyy]

Hello,

I would like to request inclusion of crowdsec-blocklist-import on the CrowdSec Hub.

Repository Info

• Source repository: https://github.com/wolffcatskyy/crowdsec-blocklist-import
• License: MIT
• Current status: Stable (active community, 200+ GitHub stars, regular contributions from multiple developers)
• Language: Python (Docker image available)
• Latest release: v3.6.0

What It Does

crowdsec-blocklist-import aggregates 21+ public threat intelligence blocklists and imports them as CrowdSec decisions via the Local API. This supplements CAPI community blocklists with additional threat feeds, typically adding 120,000+ unique malicious IPs to your CrowdSec instance from sources like:

• Spamhaus DROP/EDROP
• Emerging Threats compromised IPs
• Blocklist.de (SSH, mail, Apache, FTP abuse)
• CINS Army
• Tor exit nodes
• Dshield top attackers
• And 15+ additional feeds

It acts as a decision feeder — importing external threat intelligence into CrowdSec so that all connected remediation components (bouncers) automatically benefit from the additional coverage.

Category Note

This doesn't fit the traditional "remediation component" category since it feeds decisions into CrowdSec rather than acting on them. It's more of an enrichment/integration tool. I'm happy to have the CrowdSec team categorize it appropriately, or if the Hub doesn't have a suitable category, I understand.

Documentation

• README: https://github.com/wolffcatskyy/crowdsec-blocklist-import/blob/main/README.md
• Docker Hub: Pre-built images available
• GHCR: ghcr.io/wolffcatskyy/crowdsec-blocklist-import
• Covers installation (Docker, standalone), configuration, all supported blocklists, and troubleshooting

Tests

• Unit tests and integration tests
• CI pipeline with flake8 linting and pytest: https://github.com/wolffcatskyy/crowdsec-blocklist-import/blob/main/.github/workflows/ci.yml

Features

• 21+ built-in threat feeds with individual enable/disable controls
• Custom blocklist support — add any URL-based IP blocklist
• Dry-run mode — preview what would be imported without making changes
• Deduplication — avoids duplicate decisions across overlapping feeds
• Allowlist support — exclude specific IPs/ranges from import
• Prometheus metrics — track import counts, errors, and feed health
• Webhook notifications — Slack, Discord, or custom webhook alerts on import runs
• Daemon mode — runs continuously with configurable refresh intervals
• Docker deployment — single container alongside CrowdSec
• Grafana dashboard — community-contributed dashboard for monitoring imports
• api_key_file support — secure credential management for container environments

Short Description

Import 21+ public threat intelligence blocklists into CrowdSec as decisions, adding 120k+ malicious IPs from Spamhaus, Emerging Threats, Blocklist.de, and more

Social Preview Image

Set on the repository.

Releases

Yes — v3.6.0 (latest), with 15+ prior releases and active development.

[wolffcatskyy]

Friendly ping — this has been getting good community traction (active contributors, NixOS packaging in progress). Let me know if there's anything needed for inclusion.

---

🤖 This response was generated by Claude AI assisting the maintainer.