CSF Cluster - Master-Slave setup

1 post Page 1 of 1
sl0m0
Junior Member
Posts: 8
Joined: 06 Nov 2018, 10:30


I have set up the following which someone may find useful:

2 x CSF Master in HA with 1 virtual IP - the master config has ALL slave server IP addresses and cluster key
100 CSF slave servers with ONLY the master ip in the clsuter settings + cluster key
A Master script which runs as a daemon and monitors the LFD log to rebroadcast only APPROVED commands to all slaves.

The advantage is that you can control what gets broadcast to the csf cluster - in this example, any form of ALLOW is not rebroadcast. Only DENY, TEMPDENY, REMOVE ALLOW and REMOVE DENY are broadcast, any other cluster commands from slaves are ignored.

I have included the master script below with exceptions commented.
Code: Select all
#!/bin/bash
#######################################################
# Master rebroadcast script and lfd log watcher
# Created in November 2018 by sl0m0 (eb) at Hetzner SA
# GPL Licence
#######################################################
#
#       -cp, --cping
#              PING all members in an lfd Cluster
#
#       -cg, --cgrep ip
#              Requests the --grep output for IP from each  member  in  an  lfd
#              Cluster
#
#       -cd, --cdeny ip [comment]
#              Deny an IP in a Cluster and add to each remote /etc/csf/csf.deny
#
#       -ctd, --ctempdeny ip ttl [-p port] [-d direction] [comment]
#              Add an IP in a Cluster to the temp IP ban list (default:in)
#
#       -cr, --crm ip
#              Unblock  an  IP  in  a  Cluster  and  remove  from  each  remote
#              /etc/csf/csf.deny and temporary list
#
#       -ca, --callow ip [comment]
#              Allow   an   IP   in   a   Cluster   and   add  to  each  remote
#              /etc/csf/csf.allow
#
#       -cta, --ctempallow ip ttl [-p port] [-d direction] [comment]
#              Add an IP in a Cluster to the temp IP allow list (default:in)
#
#       -car, --carm ip
#              Remove allowed IP in a  Cluster  and  remove  from  each  remote
#              /etc/csf/csf.allow and temporary list

##### VARIABLES ####################              
TS=$(date +%F" "%T) 

## LOG
LOG=/var/log/csf_master.log

## LOCKING
LOCKFILE=/var/lock/lfdtriggers.lock

## LOG START
echo "$TS -- Starting $0..." >> $LOG

## EXTRACTER
string="Cluster member"

## ACTIONS
#ALLOW="said, ALLOW"
#TALLOW="said, TEMPALLOW"
RALLOW="said, REMOVE ALLOW"
DENY="said, DENY"
TDENY="said, TEMPDENY"
RDENY="said, REMOVE DENY"
####################################
## START ##
(
flock -n 9 || exit 1
sleep 1

dologact() {
  TS=$(date +%F" "%T)
  ACTION="$1"
  IP="$2"
  REASON="$3"
  echo -e "${TS} -- Sending ${ACTION} to cluster for IP ${IP} [${REASON}]" >> $LOG
}

tail -n 0 -F  /var/log/lfd.log | \
while read LINE
do
 TS=$(date +%F" "%T)
 echo "$LINE" | grep -q "$string"
 IP=$(echo $LINE )
 if [ $? = 0 ]
 then
   if echo "$LINE" | grep -q "$DENY"
   then
     IP=$(echo $LINE |awk '{print $13}' |sed 's/,//')
     REASON=$(echo $LINE |awk -F'Reason:' '{print $2}' |awk -F' - ' '{print $1}' |sed 's/\[//g' |sed 's/\]//g')
     ACTION="DENY"
     dologact "$ACTION" "$IP" "$REASON"
     csf -cd $IP "$REASON" 2>&1 >>$LOG
   fi
   if echo "$LINE" | grep -q "$TDENY"
   then
     IP=$(echo $LINE |awk '{print $13}' |sed 's/,//')
     REASON=$(echo $LINE |awk -F'Reason:' '{print $2}' |awk -F' - ' '{print $1}' |sed 's/\[//g' |sed 's/\]//g')
     ACTION="TEMP_DENY"
     dologact "$ACTION" "$IP" "$REASON"
     csf -ctd $IP "$REASON" 2>&1 >>$LOG
   fi
   if echo "$LINE" | grep -q "$RDENY"
   then
     IP=$(echo $LINE |awk '{print $14}' |sed 's/,//')
     REASON="Removing..."
     ACTION="REMOVE_DENY"    
     dologact "$ACTION" "$IP" "$REASON"
     csf -cr $IP 2>&1 >>$LOG
   fi
########### CLOSED CLUSTER ALLOW ABILITY ####################   
#   if echo "$LINE" | grep -q "$ALLOW"
#   then
#     IP=$(echo $LINE |awk '{print $13}' |sed 's/,//')
#     REASON=$(echo $LINE |awk -F'Reason:' '{print $2}' |awk -F' - ' '{print $1}' |sed 's/\[//g' |sed 's/\]//g')
#     ACTION="ALLOW"
#     dologact "$ACTION" "$IP" "$REASON"
#     csf -ca $IP 2>&1 >>$LOG
#   fi
#   if echo "$LINE" | grep -q "$TALLOW"
#   then
#     IP=$(echo $LINE |awk '{print $13}' |sed 's/,//')
#     REASON="Allowing temporarily..."
#     ACTION="TEMP_ALLOW"
#     dologact "$ACTION" "$IP" "$REASON"
#     REASON=$(echo $LINE |awk -F'Reason:' '{print $2}' |awk -F' - ' '{print $1}' |sed 's/\[//g' |sed 's/\]//g')
#     csf -cta $IP 2>&1 >>$LOG
#   fi
#############################################################
   if echo "$LINE" | grep -q "$RALLOW"
   then
     IP=$(echo $LINE |awk '{print $14}' |sed 's/,//')
     REASON="Allowing..."
     ACTION="REMOVE_ALLOW".
     dologact "$ACTION" "$IP" "$REASON"
     csf -car $IP 2>&1 >>$LOG
   fi
 fi
done
#######################################
TS=$(date +%F" "%T) 
echo "$TS -- Stopping $0..." >> $LOG
################
) 9>$LOCKFILE
##########
##########
## END ###
1 post Page 1 of 1