Multi server stopped working

[klasje]

Hello,

I set-up multi server last week between 2 directadmin instances.
This worked fine that same day.

Now when I try to test the directadmin multi servers, I get following errors in both directions on the server:

server.domain.com : : Timeout while trying to connect to 94.120.0.73
Unable to connect to secure socket
Some I/O error occurred. The OpenSSL error queue may contain more information on the error. If the error queue is empty (i.e. ERR_get_error() returns 0), ret can be used to find out more about the error: If ret == 0, an EOF was observed that violates the protocol. If ret == -1, the underlying BIO reported an I/O error (for socket I/O on Unix systems, consult errno for details).
openssl error queue:
empty error queue. ret=-1
errno: Bad file descriptor


I didn't change any firewall config between last week.
I tried deleting the link and setting it up again, but I keep on getting the same error.

I can connect to both servers properly using the domain name, using ssl on port 2222.

 

[DrWizzle]

Only thing I can think of here is it's being blocked by firewall or 2FA / MFA. I had something similar a little while back, and the problem was the fact I had enabled 2FA / MFA on the admin account I created solely for multiserver. I don't use IPv4 anymore and now do multiserver with IPv6 addresses. A couple of things to consider checking:

Try with an IPv6 address (if available)

Make sure the SSL box is ticked, and the TLS certificate is valid on destination server or it could fail.

Does NOT work if you are using an account with 2FA / MFA enabled. I use a separate admin account from the one I admin server with on each server.

Also, maybe try adding a firewall exception in csf?

# nano /etc/csf/csf.allow

tcp|in|d=2222|s=<IP> # use this for each source IP on the destination server
tcp|out|d=2222|d=<IP> # use this for each destination IP on the source server

# csf -r

 

[Ohm J]

For future issued, someone read here might put in the ignore list.
Please ensure you must put in the "allow IP", because ignore IP only work with bruteforce protection ( Scan logs and blocked ).

Example some filter like CT_LIMIT, SYN_FLOOD, PORTFLOOD still trigger the blocked even in the ignore list.

 

[Richard G]

I always use this setting in the csf.conf file:
IGNORE_ALLOW = "1"

Then only very trusted ip's I put in the csf.allow so they can bypass firewall and bruteforce.
And use trusted (but a bit less trusted) like from monitor tools, only in the csf.ignore file.

But everybody his/her own choice ofcourse.

enabled 2FA / MFA on the admin account I created solely for multiserver.

Maybe not known to some, but for Multi-server setup one can use *any* username (even non existing) and *any* password one would like.
This could be an addition to security. This way also you can keep your 2FA for admin, as the admin account is not used for the multi-server.

 

[Daniel-Doggy]

Or (what I do) to allow both 2FA/MFA and password only for multi server, create a Login key and bind it to the server IPs of the sever that will use the login key.
This also allows to block everything except the API calls multi server need to make. (And thus by extension gives the other server a different password for the same admin user with API restrictions.)

EDIT:
It only needs:

1. CMD_API_LOGIN_TEST
2. CMD_API_DNS_ADMIN
3. CMD_API_USER_EXISTS

Everything else can be blocked.

 

[klasje]

1) It was indeed csf that was causing the issues.
I put both servers in their allow ip list.

2) I enabled zone transfer, but when checking dns administration I do not see the dns records from the other server?
Should I do something additional or is this always something hidden in the background?

3) Having a limited access user seems indeed a lot safer.
How can I make a dedicated admin with only these limited rights and only the list of allowed ip's?
CMD_API_LOGIN_TEST
CMD_API_DNS_ADMIN
CMD_API_USER_EXISTS

I don't seem to find login key option in the directadmin admin panel?

 

[Richard G]

2.) No you normally should see them in DNS administration with both NO NO (data and mail). I don't know how this looks in Evo, never looked at it in Evo because I still use Enhanced.

 

[Daniel-Doggy]

https://<your da URL>:2222/evo/user/login-keys

 

[Daniel-Doggy]

And to add a bit more info for login keys:
They are not there own user, they are the user of the login key.

Login keys allow you to create a (extra) different password for a user that can be restricted on IP and API endpoints it can use.

DirectAdmin

DirectAdmin Web Control Panel Site-Helper. Helping you get the most out of DirectAdmin and your web site!

evo.site-helper.com

And if you use a login key I would recommend to not set a expiry date so that the key does not expire on it own. (But can still be deleted by hand.)

 

[DrWizzle]

2.) No you normally should see them in DNS administration with both NO NO (data and mail). I don't know how this looks in Evo, never looked at it in Evo because I still use Enhanced.

Here you go. I've got a small private DNS cluster I use DA for, and it would look something like this in evo: (Minus my own colour scheme and fonts)

 

[Richard G]

Here you go.

Thanks. I thought it would look different in Evo but it looks almost exactly the same as in Enhanced.
I could have temporarily switched to Evo, but I thought Klasje would know what I ment.