Re: [HACKERS] Incomplete startup packet errors

It's fairly common to see a lot of "Incomplete startup packet" in the
logfiles caused by monitoring or healthcheck connections.

I wonder if it would make sense to only log that error if *at least one
byte* has been received and then it becomes empty. Meaning that if the
client just connects+disconnects without sending anything, we don't log
anything. At least at the default log level (we could have a DEBUG level
that logged "connection closed immediately").

That would get rid of a lot of logspam.

Would that make sense?

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

At 2016-04-13 10:02:22 +0200, magnus(at)hagander(dot)net wrote:
>
> I wonder if it would make sense to only log that error if *at least
> one byte* has been received and then it becomes empty.

Yes, it would be very nice to eliminate that logspam, as you say.

-- Abhijit

On Wed, Apr 13, 2016 at 9:02 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> It's fairly common to see a lot of "Incomplete startup packet" in the
> logfiles caused by monitoring or healthcheck connections.
>
> I wonder if it would make sense to only log that error if *at least one
> byte* has been received and then it becomes empty. Meaning that if the
> client just connects+disconnects without sending anything, we don't log
> anything. At least at the default log level (we could have a DEBUG level
> that logged "connection closed immediately").
>
> That would get rid of a lot of logspam.
>
> Would that make sense?

Absolutely. It would be very nice to get rid of such noise.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> It's fairly common to see a lot of "Incomplete startup packet" in the
> logfiles caused by monitoring or healthcheck connections.

I've also seen it caused by port scanning.

--
Peter Geoghegan

On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan <pg(at)heroku(dot)com> wrote:

> On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander <magnus(at)hagander(dot)net>
> wrote:
> > It's fairly common to see a lot of "Incomplete startup packet" in the
> > logfiles caused by monitoring or healthcheck connections.
>
> I've also seen it caused by port scanning.
>

Yes, definitely. Question there might be if that's actually a case when we
*want* that logging?

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

Magnus Hagander <magnus(at)hagander(dot)net> writes:
> On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan <pg(at)heroku(dot)com> wrote:
>> On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander <magnus(at)hagander(dot)net>
>> wrote:
>>> It's fairly common to see a lot of "Incomplete startup packet" in the
>>> logfiles caused by monitoring or healthcheck connections.

>> I've also seen it caused by port scanning.

> Yes, definitely. Question there might be if that's actually a case when we
> *want* that logging?

I should think someone might. But I doubt we want to introduce another
GUC for this. Would it be okay to downgrade the message to DEBUG1 if
zero bytes were received?

regards, tom lane

On Wed, Apr 13, 2016 at 3:56 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Magnus Hagander <magnus(at)hagander(dot)net> writes:
> > On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan <pg(at)heroku(dot)com> wrote:
> >> On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander <magnus(at)hagander(dot)net>
> >> wrote:
> >>> It's fairly common to see a lot of "Incomplete startup packet" in the
> >>> logfiles caused by monitoring or healthcheck connections.
>
> >> I've also seen it caused by port scanning.
>
> > Yes, definitely. Question there might be if that's actually a case when
> we
> > *want* that logging?
>
> I should think someone might. But I doubt we want to introduce another
> GUC for this. Would it be okay to downgrade the message to DEBUG1 if
> zero bytes were received?
>
>
Yeah, that was my suggestion - I think that's a reasonable compromise. And
yes, I agree that a separate GUC for it would be a huge overkill.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

>> I've also seen it caused by port scanning.
>>
>
> Yes, definitely. Question there might be if that's actually a case when we
> *want* that logging?

Is it possible a user want the log because he/she wants to notice that
the system is being attacked?
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

On Wed, Apr 13, 2016 at 10:30 AM, Tatsuo Ishii <ishii(at)postgresql(dot)org> wrote:
>>> I've also seen it caused by port scanning.
>>
>> Yes, definitely. Question there might be if that's actually a case when we
>> *want* that logging?
>
> Is it possible a user want the log because he/she wants to notice that
> the system is being attacked?

Yeah, but it doesn't seem very likely, because:

1. If the system is on the Internet, it's definitely being attacked, and

2. The attacks that connect to a port and then disconnect are not the
ones you should be most worried about, and

3. The right way to detect attacks is through OS-level monitoring or
firewall-level monitoring, and nothing we do in PG is going to come
close to the same value.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

>> Is it possible a user want the log because he/she wants to notice that
>> the system is being attacked?
>
> Yeah, but it doesn't seem very likely, because:
>
> 1. If the system is on the Internet, it's definitely being attacked, and
>
> 2. The attacks that connect to a port and then disconnect are not the
> ones you should be most worried about, and
>
> 3. The right way to detect attacks is through OS-level monitoring or
> firewall-level monitoring, and nothing we do in PG is going to come
> close to the same value.

Ok, that makes sense.

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp

Re: Magnus Hagander 2016-04-13 <CABUevEzq8_nSq7fwe0-fbOAK8S2YNN-PkfsamfEvy2-d3dRUoA(at)mail(dot)gmail(dot)com>
> > >>> It's fairly common to see a lot of "Incomplete startup packet" in the
> > >>> logfiles caused by monitoring or healthcheck connections.
> >
> > >> I've also seen it caused by port scanning.
> >
> > > Yes, definitely. Question there might be if that's actually a case when
> > we
> > > *want* that logging?
> >
> > I should think someone might. But I doubt we want to introduce another
> > GUC for this. Would it be okay to downgrade the message to DEBUG1 if
> > zero bytes were received?
> >
> >
> Yeah, that was my suggestion - I think that's a reasonable compromise. And
> yes, I agree that a separate GUC for it would be a huge overkill.

There have been numerous complaints about that log message, and the
usual reply is always something like what Pavel said recently:

"It is garbage. Usually it means nothing, but better to work live
without this garbage." [1]

[1] /message-id/CAFj8pRDtwsxj63%3DLaWSwA8u7NrU9k9%2BdJtz2gB_0f4SxCM1sQA%40mail.gmail.com

Let's get rid of it.

Christoph