IPS Bypass IP rspamd_proxy

ips
v7

(L) #1

NethServer Version: 7.5
Module: IPS
Hello

I try to Enable IPS but there are some errors on rspamd_proxy as shown below
Please help and how to set By pass IP rspamd_proxy

11/26/2018, 10:56:53 AM rspamd_proxy 7341 proxy f8b98e got IO timeout with server fuzzy1.rspamd.com(88.99.142.95:11335), after 1 retransmits
11/26/2018, 10:53:56 AM rspamd_proxy 7341 proxy 65185f got IO timeout with server fuzzy2.rspamd.com(212.24.145.107:11335), after 1 retransmits
11/26/2018, 10:51:59 AM rspamd_proxy 7341 proxy 2a9883 got IO timeout with server fuzzy1.rspamd.com(88.99.142.95:11335), after 1 retransmits
11/26/2018, 10:48:58 AM rspamd_proxy 7341 proxy 6c9eec got IO timeout with server fuzzy1.rspamd.com(88.99.142.95:11335), after 1 retransmits
11/26/2018, 10:43:52 AM rspamd_proxy 7341 proxy 10de56 got IO timeout with server fuzzy1.rspamd.com(88.99.142.95:11335), after 1 retransmits

Thank you


Mail Server behind proxy is doing HTTPS request without using the proxy
(Markus Neuberger) #2

Does it occur regularly?

Are you sure it’s related to IPS?

You may check IPS logs with Evebox.

Found another thread about that:


(L) #3

Hi
Yes, sure after activate the IPS then the messages shown above
Can I allow these IPs in evebox ?

Thank you


(Markus Neuberger) #4

You’re welcome, I am afraid you have to find which ips rule category is blocking and set it to alert in IPS settings.

To find the blocking rule category have a look at /var/log/suricata/fast.log or evebox.

http://docs.nethserver.org/en/v7/suricata.html#rule-categories


(L) #5

Hello @mrmarkuz
Thank you so much
It seems show on category “Network Trojan”


(Markus Neuberger) #6

You’re welcome. Did you set the trojan rule category to alert or did you disable the IPS to make it work? Which rspamd version do you use?

I got the same rspamd_proxy error messages but my IPS is set to alert. I am going to investigate further, if IPS impacts rspamd we at least have to write it to the docs…

EDIT:

I can confirm the error occurs with activated IPS.


(L) #7

Thank you again


(L) #8

Hello

A few days ago I have been updated the Nethserver but still errors on rspamd_proxy after activate IPS


(Carlos Estrada) #9

Hi.

I have the same problem. I tested with IPS activated but with all categories set to “Disable” and still get the same error message every 20 minutes or so.

My first question would be: Is this a bug? and second: what are the repercussions of this error? I don’t see any real problem with the spam server, actually since I started using rspamd I have better control of spam.

Thank you.


(Carlos Estrada) #10

Hi. Can someone please answer my last question. Or tell me if I need to open a new thread.


(Markus Neuberger) #11

Sorry for the late answer. I found another thread where the problem is caused by a proxy.
As you wrote there seem to be no problems but I have to recheck.
It’s a special scenario to have IPS and mailserver on one machine. I am going to investigate and report as soon as I find a way to enable IPS without rspamd errors.


(Carlos Estrada) #12

Thanks. Hope you find it.


(Markus Neuberger) #13

I cannot reproduce it anymore, trying since yesterday. Did you already update to the new version 1.8.3 of rspamd?


(Carlos Estrada) #14

Actually rspamd was updated automatically in my system 2 days ago:

cat /var/log/yum.log | grep rspamd
Mar 11 03:55:24 Updated: rspamd.x86_64 1.8.3-1

I don’t see the error message any more. I think it’s fixed.

I will report if there are problems.

Thank you.


(Carlos Estrada) #15

I’m still getting the same error:

Where can I find (or activate) rspamd logs? The directory /var/log/rspamd is empty in my system.


(Markus Neuberger) #16

Rspamd logs to /var/log/maillog.