subject:"Re\: \[HACKERS\] Incomplete startup packet errors"

Re: [HACKERS] Incomplete startup packet errors

2016-04-13 Thread Tatsuo Ishii

>> Is it possible a user want the log because he/she wants to notice that
>> the system is being attacked?
> 
> Yeah, but it doesn't seem very likely, because:
> 
> 1. If the system is on the Internet, it's definitely being attacked, and
> 
> 2. The attacks that connect to a port and then disconnect are not the
> ones you should be most worried about, and
> 
> 3. The right way to detect attacks is through OS-level monitoring or
> firewall-level monitoring, and nothing we do in PG is going to come
> close to the same value.

Ok, that makes sense.

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Incomplete startup packet errors

2016-04-13 Thread Robert Haas

On Wed, Apr 13, 2016 at 10:30 AM, Tatsuo Ishii  wrote:
>>> I've also seen it caused by port scanning.
>>
>> Yes, definitely. Question there might be if that's actually a case when we
>> *want* that logging?
>
> Is it possible a user want the log because he/she wants to notice that
> the system is being attacked?

Yeah, but it doesn't seem very likely, because:

1. If the system is on the Internet, it's definitely being attacked, and

2. The attacks that connect to a port and then disconnect are not the
ones you should be most worried about, and

3. The right way to detect attacks is through OS-level monitoring or
firewall-level monitoring, and nothing we do in PG is going to come
close to the same value.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Incomplete startup packet errors

2016-04-13 Thread Tatsuo Ishii

>> I've also seen it caused by port scanning.
>>
> 
> Yes, definitely. Question there might be if that's actually a case when we
> *want* that logging?

Is it possible a user want the log because he/she wants to notice that
the system is being attacked?
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Incomplete startup packet errors

2016-04-13 Thread Magnus Hagander

On Wed, Apr 13, 2016 at 3:56 PM, Tom Lane  wrote:

> Magnus Hagander  writes:
> > On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan  wrote:
> >> On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander 
> >> wrote:
> >>> It's fairly common to see a lot of "Incomplete startup packet" in the
> >>> logfiles caused by monitoring or healthcheck connections.
>
> >> I've also seen it caused by port scanning.
>
> > Yes, definitely. Question there might be if that's actually a case when
> we
> > *want* that logging?
>
> I should think someone might.  But I doubt we want to introduce another
> GUC for this.  Would it be okay to downgrade the message to DEBUG1 if
> zero bytes were received?
>
>
Yeah, that was my suggestion - I think that's a reasonable compromise.  And
yes, I agree that a separate GUC for it would be a huge overkill.


-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Re: [HACKERS] Incomplete startup packet errors

2016-04-13 Thread Tom Lane

Magnus Hagander  writes:
> On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan  wrote:
>> On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander 
>> wrote:
>>> It's fairly common to see a lot of "Incomplete startup packet" in the
>>> logfiles caused by monitoring or healthcheck connections.

>> I've also seen it caused by port scanning.

> Yes, definitely. Question there might be if that's actually a case when we
> *want* that logging?

I should think someone might.  But I doubt we want to introduce another
GUC for this.  Would it be okay to downgrade the message to DEBUG1 if
zero bytes were received?

regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Incomplete startup packet errors

2016-04-13 Thread Magnus Hagander

On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan  wrote:

> On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander 
> wrote:
> > It's fairly common to see a lot of "Incomplete startup packet" in the
> > logfiles caused by monitoring or healthcheck connections.
>
> I've also seen it caused by port scanning.
>

Yes, definitely. Question there might be if that's actually a case when we
*want* that logging?

-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

Re: [HACKERS] Incomplete startup packet errors

2016-04-13 Thread Peter Geoghegan

On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander  wrote:
> It's fairly common to see a lot of "Incomplete startup packet" in the
> logfiles caused by monitoring or healthcheck connections.

I've also seen it caused by port scanning.


-- 
Peter Geoghegan


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Incomplete startup packet errors

2016-04-13 Thread Dave Page

On Wed, Apr 13, 2016 at 9:02 AM, Magnus Hagander  wrote:
> It's fairly common to see a lot of "Incomplete startup packet" in the
> logfiles caused by monitoring or healthcheck connections.
>
> I wonder if it would make sense to only log that error if *at least one
> byte* has been received and then it becomes empty. Meaning that if the
> client just connects+disconnects without sending anything, we don't log
> anything. At least at the default log level (we could have a DEBUG level
> that logged "connection closed immediately").
>
> That would get rid of a lot of logspam.
>
> Would that make sense?

Absolutely. It would be very nice to get rid of such noise.

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Incomplete startup packet errors

2016-04-13 Thread Abhijit Menon-Sen

At 2016-04-13 10:02:22 +0200, mag...@hagander.net wrote:
>
> I wonder if it would make sense to only log that error if *at least
> one byte* has been received and then it becomes empty.

Yes, it would be very nice to eliminate that logspam, as you say.

-- Abhijit


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Incomplete startup packet errors

Re: [HACKERS] Incomplete startup packet errors

Re: [HACKERS] Incomplete startup packet errors

Re: [HACKERS] Incomplete startup packet errors

Re: [HACKERS] Incomplete startup packet errors

Re: [HACKERS] Incomplete startup packet errors

Re: [HACKERS] Incomplete startup packet errors

Re: [HACKERS] Incomplete startup packet errors

Re: [HACKERS] Incomplete startup packet errors

9 matches

Site Navigation

Mail list logo

Footer information