Directadmin: changing IP – IP FailOver

One of my servers is located in OVH datacenter. Recently one of my clients mailbox got hacked by spammer and started sending huge amount of spam. Server got of course blacklisted. After blocking some spamming networks, changing passwords to mailboxes I’ve started removing server from various blacklists. The only problem I’ve had was with Google. I’ve send them couple removal requests but didn’t succeed…

After a week I’m come out with a different approach. OVH offers service called IP FailOver. It’s main purpose is to have IP address that You can switch between Your main server and backup server when main is down. You just have to assign Your IP FailOver address to You network interface’s alias. It’s quite simple in RHEL 6 OS family:

cd /etc/sysconfig/network-scripts/
cp ifcfg-eth0 ifcfg-eth0:0

Then You just edit new file:

DEVICE="eth0:0"
BOOTPROTO="static"
IPADDR=IP.FAILOVER.ADDR
NETMASK=255.255.255.255
ONBOOT=yes
BROADCAST=IP.FAILOVER.ADDR

Now just run ifup eth0:0 and check if Your new address is responding to ping and we’re good to go further.

Now when we have our new IP address up and running we have to change it in DirectAdmin. Instructions can be found on DirectAdmin’s help website. In short: You have to first extend your license. You can do this by clicking on “Licensing / Updates” as admin user in Your Admin Tools section and select “Update license”. Then write e-mail to DirectAdmin support with request of changing Your IP to IP FailOver address. After You get a positive response just run:

cd /usr/local/directadmin/scripts  
./getLicense.sh clientID license
service directadmin restart
./ipswap.sh old-ip new-ip

Now You just have to restart all services, and they will start responding to new IP Address.

There is only one problem with this setup… services are still sending stuff through old interface, so many servers will still recognise You as this old ip address. This means that You might have problem with downloading new license, because DirectAdmin requires connection from IP that license is registered to. There is also solution to this. We have to address all our traffic through IP FailOver address and this can be done by iptables:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source new-ip-addr

Now everything should work as planned. There might be just one problem left to solve – when You’re using OVH’s FTP Backup service it requires Your server to connect through old IP address. Againg iptables will be helpful:

iptables -t nat -A POSTROUTING -o eth0 -d backup-server-ip-addr -j SNAT --to-source old-ip-addr

This is it!

There is also one big advantage of whole process – when You’ll want to change server it will be much simpler to just assign IP FailOver to the new one and You won’t have to worry about changing DA’s license IP.

Advertisements