Adding servers to CSF cluster

Freddy

Verified User
Joined
Apr 14, 2016
Messages
130
I want to create a CSF cluster so that every IP blockade on each server will become an IP blockade on all servers. I heave read the documentation on this and I've seen the configuration examples for the CLUSTER_SENDTO and CLUSTER_RECVFROM settings. What I don't understand is how unmanageable things become if you have allot of servers and want to add a new one. Do you really need to change the configuration on all servers and add the new IP to the sendto and recvfrom settings? Can this be done in an easier way?
 
you can use one separate server so all servers will send to it and receive from it
I thought so, but I read that the master server does not forward new blockades if another node sends them to avoid loops. So you would need to manually enter all IP's on the master server because that is the only way to send them to other nodes. Is this true?
 
Yes. You can also use a file for it.
Alternatively, it can be set to the full path of a file that will read in one IP per line, e.g.: "/etc/csf/cluster_sendto.txt"
same for the receive from ofcourse.

So if you use a master, you don't need to change the receive_from on all servers, because that will only require the master ip.
And in the master, you can change both the textfiles on server changes and restart csf/lfd and you're done. So not a lot of work, only the first time setup.
 
Yes. You can also use a file for it.

same for the receive from ofcourse.

So if you use a master, you don't need to change the receive_from on all servers, because that will only require the master ip.
And in the master, you can change both the textfiles on server changes and restart csf/lfd and you're done. So not a lot of work, only the first time setup.
But will the master forward all blocks that it receives from the other nodes? If I have 5 nodes from which node 1 is the master, and node 5 sends a new IP block to the master, will the master automatically forward it to nodes 2,3 and 4?
 
But will the master forward all blocks that it receives from the other nodes?

No, it won't. CLUSTER_MASTER in terms of CSF/LFD is a server which is allowed to send configs changes only, see:

The option CLUSTER_MASTER is the IP address of the master node in the cluster
allowed to send CLUSTER_CONFIG changes to servers listed in the local
CLUSTER_SENDTO list. Only cluster members that have CLUSTER_MASTER set to this
IP address will accept CLUSTER_CONFIG changes.


Thus you will need to list all nodes' IPs in CLUSTER_SENDTO and CLUSTER_RECVFROM. But you can use CLUSTER_MASTER to publish updated config file across slaves.

Directadmin supports CSF/LFD natively, but if you want to use CLUSTER mode in CSF/LFD you might use this set of scripts: https://github.com/poralix/directadmin-bfm-csf the version 0.1.7 introduced a support of Cluster mode of CSF/LFD.
 
No, it won't. CLUSTER_MASTER in terms of CSF/LFD is a server which is allowed to send configs changes only, see:

The option CLUSTER_MASTER is the IP address of the master node in the cluster
allowed to send CLUSTER_CONFIG changes to servers listed in the local
CLUSTER_SENDTO list. Only cluster members that have CLUSTER_MASTER set to this
IP address will accept CLUSTER_CONFIG changes.


Thus you will need to list all nodes' IPs in CLUSTER_SENDTO and CLUSTER_RECVFROM. But you can use CLUSTER_MASTER to publish updated config file across slaves.

Directadmin supports CSF/LFD natively, but if you want to use CLUSTER mode in CSF/LFD you might use this set of scripts: https://github.com/poralix/directadmin-bfm-csf the version 0.1.7 introduced a support of Cluster mode of CSF/LFD.
Thanks. This was the answer I was looking for. Since you seem to know more about it I have one more question. I can use a file to provide an IP list to CLUSTER_SENDTO, but what if that file contains the IP of the node itself? Does it hurt? In other words: Can I use one global file with all IP's for all nodes or do I need to create an IP list per node? My goal is to push the file to all servers and never change the csf.conf itself, only restarting csf to allow the new list to be read.
 
but what if that file contains the IP of the node itself?

The IP will be blocked in the firewall on that server too. Let's say you have two nodes:

A: 1.2.3.4
B: 4.3.2.1

The both IPs should be listed either in CLUSTER_SENDTO/CLUSTER_RECVFROM or in /etc/csf/cluster_recvfrom.txt /etc/csf/cluster_sendto.txt

This way an offending IP will be blocked on the both cluster members.

If the server A: 1.2.3.4 finds an attacking IP 2.2.2.2 and triggers a cluster block:

Code:
csf --cdeny 2.2.2.2

The IP will be blocked on servers only listed in CLUSTER_SENDTO,

And if the local IP is not specified, the attacking IP won't be block locally, but only on other members.

I hope I'm clear)

From readme:

In the configuration there are two comma separated lists of IP addresses:

CLUSTER_SENDTO = ""
CLUSTER_RECVFROM = ""

Note: Do not use spaces in these lists

If you want all members of the lfd cluster to send block notifications to each
other then both settings should be them same. You also need to enable
CLUSTER_BLOCK (enabled by default) for lfd to automatically send blocks to all
members in CLUSTER_SENDTO.

However, you can also set up a cluster such that some members only provide
notifications to others and do not accept blocks from others. For example, you
may have a cluster of servers that includes one that hosts a support desk that
you do not want to block clients from accessing. In such an example you might
want to exclude the support desk server from the CLUSTER_SENDTO list, but
include it in the CLUSTER_RECVFROM list.

Can I use one global file with all IP's for all nodes

Yes you can. And you would rather do it
 
I was in the assumption that temporary IP bans which are added through the web-interface of CSF are automatically synced across all nodes, but this doesn't seem to be working. I need to specifically call the csf -ctd to add the IP to all nodes. Is this really the only way?
 
will the master automatically forward it to nodes 2,3 and 4?
Yes. But I was talking about master in terms as "the main server to which all reports are send and which reports to all others". Since you wanted to use a server as master server for the reports and used the term master yourself.
Ofcourse not the cluster_master, because that is only about configs as @zEitEr correctly wrote and is mentioned in the config also.
Just to have this clear for anybody reading this.

Can I use one global file with all IP's for all nodes or do I need to create an IP list per node?
That depends on what you want to do. If you want to use 1 "master" which receives from all nodes and send to all nodes, then at this "master" you need the ip's for -all- nodes both in the CLUSTER_RECVFROM and CLUSTER_SENDTO files.

All other servers only need to have 1 ip address in each file, which is the ip address of the "master" you want to use in the CLUSTER_RECVFROM and 1 ip address from the same master to send reports in the CLUSTER_SENDTO file.
Again... not the cluster_master setting ofcourse.

I need to specifically call the csf -ctd to add the IP to all nodes. Is this really the only way?
It can be done via console or automatically on bruteforcing by using a script in the custom scripts directory.
I don't know if something like that can also can be done via some post script when using the plugin, maybe @zEitEr knows.
 
I need to specifically call the csf -ctd to add the IP to all nodes. Is this really the only way?

You might use scripts/custom/all_pre.sh under directadmin. The CSF plugin defines the following variables:

Bash:
ip=21.21.21.21
action=qallow
command=/CMD_PLUGINS_ADMIN/csf/index.raw

  • ip= - IP address used in the action from CSF interface/plugin in DA
  • action= - action from CSF interface/plugin in DA, where qallow - quick allow, qdeny - quick deny, etc.
  • command=/CMD_PLUGINS_ADMIN/csf/index.raw - the core identifier what we deal with CSF plugin

You can use the mentioned hook in DirectAdmin with any programming language: bash, perl, PHP, etc and trigger a custom action with CLUSTER flags of CSF.

The all_pre.sh script is under a risk to be deprecated, but while it's in a game, you are welcome to use it.

If you don't have programming skills, you might ask somebody here to help you. I'm available for this job under commercial terms.
 
Back
Top