IPS Bypass IP rspamd_proxy

Ya_Ley · November 26, 2018, 4:01am

NethServer Version: 7.5
Module: IPS
Hello

I try to Enable IPS but there are some errors on rspamd_proxy as shown below
Please help and how to set By pass IP rspamd_proxy

11/26/2018, 10:56:53 AM	rspamd_proxy	7341	proxy	f8b98e	got IO timeout with server fuzzy1.rspamd.com(88.99.142.95:11335), after 1 retransmits
11/26/2018, 10:53:56 AM	rspamd_proxy	7341	proxy	65185f	got IO timeout with server fuzzy2.rspamd.com(212.24.145.107:11335), after 1 retransmits
11/26/2018, 10:51:59 AM	rspamd_proxy	7341	proxy	2a9883	got IO timeout with server fuzzy1.rspamd.com(88.99.142.95:11335), after 1 retransmits
11/26/2018, 10:48:58 AM	rspamd_proxy	7341	proxy	6c9eec	got IO timeout with server fuzzy1.rspamd.com(88.99.142.95:11335), after 1 retransmits
11/26/2018, 10:43:52 AM	rspamd_proxy	7341	proxy	10de56	got IO timeout with server fuzzy1.rspamd.com(88.99.142.95:11335), after 1 retransmits

Thank you

mrmarkuz · November 28, 2018, 9:01am

Does it occur regularly?

Are you sure it’s related to IPS?

You may check IPS logs with Evebox.

Found another thread about that:

Ya_Ley · November 28, 2018, 9:19am

Hi
Yes, sure after activate the IPS then the messages shown above
Can I allow these IPs in evebox ?

Thank you

mrmarkuz · November 28, 2018, 9:54am

You’re welcome, I am afraid you have to find which ips rule category is blocking and set it to alert in IPS settings.

To find the blocking rule category have a look at /var/log/suricata/fast.log or evebox.

http://docs.nethserver.org/en/v7/suricata.html#rule-categories

Ya_Ley · November 30, 2018, 3:10am

Hello @mrmarkuz
Thank you so much
It seems show on category “Network Trojan”

mrmarkuz · November 30, 2018, 11:55am

You’re welcome. Did you set the trojan rule category to alert or did you disable the IPS to make it work? Which rspamd version do you use?

I got the same rspamd_proxy error messages but my IPS is set to alert. I am going to investigate further, if IPS impacts rspamd we at least have to write it to the docs…

EDIT:

I can confirm the error occurs with activated IPS.

Ya_Ley · December 4, 2018, 8:06am

Thank you again

Ya_Ley · December 18, 2018, 1:55am

Hello

A few days ago I have been updated the Nethserver but still errors on rspamd_proxy after activate IPS

Carlos_Estrada · February 27, 2019, 4:13pm

Hi.

I have the same problem. I tested with IPS activated but with all categories set to “Disable” and still get the same error message every 20 minutes or so.

My first question would be: Is this a bug? and second: what are the repercussions of this error? I don’t see any real problem with the spam server, actually since I started using rspamd I have better control of spam.

Thank you.

Carlos_Estrada · March 11, 2019, 2:36pm

Hi. Can someone please answer my last question. Or tell me if I need to open a new thread.

mrmarkuz · March 11, 2019, 3:17pm

Sorry for the late answer. I found another thread where the problem is caused by a proxy.
As you wrote there seem to be no problems but I have to recheck.
It’s a special scenario to have IPS and mailserver on one machine. I am going to investigate and report as soon as I find a way to enable IPS without rspamd errors.

Carlos_Estrada · March 11, 2019, 3:50pm

Thanks. Hope you find it.

mrmarkuz · March 12, 2019, 9:56pm

I cannot reproduce it anymore, trying since yesterday. Did you already update to the new version 1.8.3 of rspamd?

Carlos_Estrada · March 13, 2019, 2:23pm

Actually rspamd was updated automatically in my system 2 days ago:

cat /var/log/yum.log | grep rspamd
Mar 11 03:55:24 Updated: rspamd.x86_64 1.8.3-1

I don’t see the error message any more. I think it’s fixed.

I will report if there are problems.

Thank you.

Carlos_Estrada · March 18, 2019, 3:13pm

I’m still getting the same error:

Where can I find (or activate) rspamd logs? The directory /var/log/rspamd is empty in my system.

mrmarkuz · March 19, 2019, 1:20am

Rspamd logs to /var/log/maillog.