I want to create a CSF cluster so that every IP blockade on each server will become an IP blockade on all servers. I heave read the documentation on this and I've seen the configuration examples for the CLUSTER_SENDTO and CLUSTER_RECVFROM settings. What I don't understand is how unmanageable things become if you have allot of servers and want to add a new one. Do you really need to change the configuration on all servers and add the new IP to the sendto and recvfrom settings? Can this be done in an easier way?
Adding servers to CSF cluster
- Thread starter Freddy
- Start date
I thought so, but I read that the master server does not forward new blockades if another node sends them to avoid loops. So you would need to manually enter all IP's on the master server because that is the only way to send them to other nodes. Is this true?
Richard G
Verified User
Yes. You can also use a file for it.
So if you use a master, you don't need to change the receive_from on all servers, because that will only require the master ip.
And in the master, you can change both the textfiles on server changes and restart csf/lfd and you're done. So not a lot of work, only the first time setup.
same for the receive from ofcourse.
So if you use a master, you don't need to change the receive_from on all servers, because that will only require the master ip.
And in the master, you can change both the textfiles on server changes and restart csf/lfd and you're done. So not a lot of work, only the first time setup.
But will the master forward all blocks that it receives from the other nodes? If I have 5 nodes from which node 1 is the master, and node 5 sends a new IP block to the master, will the master automatically forward it to nodes 2,3 and 4?
zEitEr
Super Moderator
No, it won't.
CLUSTER_MASTER in terms of CSF/LFD is a server which is allowed to send configs changes only, see:The option CLUSTER_MASTER is the IP address of the master node in the cluster
allowed to send CLUSTER_CONFIG changes to servers listed in the local
CLUSTER_SENDTO list. Only cluster members that have CLUSTER_MASTER set to this
IP address will accept CLUSTER_CONFIG changes.
Thus you will need to list all nodes' IPs in
CLUSTER_SENDTO and CLUSTER_RECVFROM. But you can use CLUSTER_MASTER to publish updated config file across slaves.Directadmin supports CSF/LFD natively, but if you want to use CLUSTER mode in CSF/LFD you might use this set of scripts: https://github.com/poralix/directadmin-bfm-csf the version 0.1.7 introduced a support of Cluster mode of CSF/LFD.
Thanks. This was the answer I was looking for. Since you seem to know more about it I have one more question. I can use a file to provide an IP list to CLUSTER_SENDTO, but what if that file contains the IP of the node itself? Does it hurt? In other words: Can I use one global file with all IP's for all nodes or do I need to create an IP list per node? My goal is to push the file to all servers and never change the csf.conf itself, only restarting csf to allow the new list to be read.
zEitEr
Super Moderator
The IP will be blocked in the firewall on that server too. Let's say you have two nodes:
A: 1.2.3.4
B: 4.3.2.1
The both IPs should be listed either in
CLUSTER_SENDTO/CLUSTER_RECVFROM or in /etc/csf/cluster_recvfrom.txt /etc/csf/cluster_sendto.txtThis way an offending IP will be blocked on the both cluster members.
If the server A: 1.2.3.4 finds an attacking IP 2.2.2.2 and triggers a cluster block:
Code:
csf --cdeny 2.2.2.2The IP will be blocked on servers only listed in
CLUSTER_SENDTO,And if the local IP is not specified, the attacking IP won't be block locally, but only on other members.
I hope I'm clear)
From readme:
In the configuration there are two comma separated lists of IP addresses:
CLUSTER_SENDTO = ""
CLUSTER_RECVFROM = ""
Note: Do not use spaces in these lists
If you want all members of the lfd cluster to send block notifications to each
other then both settings should be them same. You also need to enable
CLUSTER_BLOCK (enabled by default) for lfd to automatically send blocks to all
members in CLUSTER_SENDTO.
However, you can also set up a cluster such that some members only provide
notifications to others and do not accept blocks from others. For example, you
may have a cluster of servers that includes one that hosts a support desk that
you do not want to block clients from accessing. In such an example you might
want to exclude the support desk server from the CLUSTER_SENDTO list, but
include it in the CLUSTER_RECVFROM list.
Yes you can. And you would rather do it
I was in the assumption that temporary IP bans which are added through the web-interface of CSF are automatically synced across all nodes, but this doesn't seem to be working. I need to specifically call the csf -ctd to add the IP to all nodes. Is this really the only way?