CLUSTSTER_* options in
/etc/csf/csf.conf allow the configuration of an
LFD cluster environment where a group of servers can share blocks and configuration option changes.
In the configuration there are two comma separated lists of IP addresses:
CLUSTER_SENDTO = "" CLUSTER_RECVFROM = ""
If you want all members of the LFD cluster to send block notifications to each
other then both settings should be them same. You also need to enable
CLUSTER_BLOCK (enabled by default) for LFD to automatically send blocks to all
However, you can also set up a cluster such that some members only provide
notifications to others and do not accept blocks from others. For example, you
may have a cluster of servers that includes one that hosts a support desk that
you do not want to block clients from accessing. In such an example you might
want to exclude the support desk server from the
CLUSTER_SENDTO list, but
include it in the
CLUSTER_MASTER is the IP address of the master node in the cluster
allowed to send
CLUSTER_CONFIG changes to servers listed in the local
CLUSTER_SENDTO list. Only cluster members that have
CLUSTER_MASTER set to this
IP address will accept
There is another option,
CLUSTER_NAT that should be used if the IP address of
the server does not appear in ifconfig, for example if it is a NAT
configuration. If this is the case, add the IP address of the server that this
configuration is on and used in
CLUSTER_LOCALADDR can be set if you do not want to use the servers main IP,
i.e. the first one listed via 0.0.0.0.
CLUSTER_PORT must be set to the same port on all servers. The port should
NOT be opened in
TCP_OUT as CSF will automatically add appropriate in
and out bound rules to allow communication between cluster members.
CLUSTER_KEY is a secret key used to encrypt cluster communications using
the Blowfish algorithm. It should be between 8 and 56 ASCII characters long,
longer is better, and must be the same on all members of the cluster.
When blocks are sent around the cluster they will maintain their originals
parameters, e.g. permanent/temporary, direction (in/out), ports, etc. All
blocks are traded except for
The cluster uses 10 second timeouts in its communications, if the timeout is reached then that cluster members notification will be lost.
You must restart CSF and then LFD after making any
csf --help for the list of new CLI commands. Additional options will
automatically become available in the UI once
CLUSTER_SENDTO has been
Only cluster members listed in
CLUSTER_RECVFROM can send out requests to those
members listed in
Only the server listed in
CLUSTER_MASTER will be accepted as the source of
CLUSTER_CONFIG configuration option requests, such as:
--cconfig, --cfile, --crestart
The CLI options --cfile and --cfiler allow you to synchronise csf configuration
files throughout a cluster from the
There is currently only provision for permanent simple IP denies and allows from the CLI (i.e. not Allow/Deny Filters).
The cluster PING sends a ping to each
CLUSTER_SENDTO member which will report
the request in their respective lfd.log files. This is intended as a test to
confirm that cluster communications are functioning.
The options to change the configuration option in
/etc/csf/csf.conf in cluster members
should be used with caution to ensure that member specific options are not
overwritten. The intention of the two options is that the --cconfig option be
used if multiple changes are required and the final request is a --cconfigr to
restart CSF and LFD to effect the requested changes immediately.
The clustering option is undoubtedly powerful in allowing servers to preemptively block access attempts as one server is hit before the attack can spread to other members of the cluster. This communication, however, does introduce a security risk. Since communications are made over the network, they are open to interception. Also, there is nothing to stop any local user from accessing the network port and sending data to it, though it will be discarded unless properly encrypted.
There are security measures implemented to help mitigate attacks:
CLUSTER_CONFIGset to 0 prevents the processing of configuration option requests.
CLUSTER_MASTERwill be accepted as the source of
CLUSTER_CONFIGconfiguration option requests.
Should the configured secret key (passphrase) be compromised or guessed or a flaw found in the encryption modules or their implementation in CSF, a malicious connection could reconfigure the CSF firewall and then leverage a local or remote root escalation. This should be considered if you decide to use this option.
THERE ARE NO GUARANTEES OR WARRANTIES PROVIDED THAT THIS FACILITY IS SECURE AND ANY DAMAGE ARISING FROM THE EXPLOITATION OF THIS OPTION IS ENTIRELY AT YOUR OWN RISK.