Re: [HACKERS] Incomplete startup packet errors
>> Is it possible a user want the log because he/she wants to notice that >> the system is being attacked? > > Yeah, but it doesn't seem very likely, because: > > 1. If the system is on the Internet, it's definitely being attacked, and > > 2. The attacks that connect to a port and then disconnect are not the > ones you should be most worried about, and > > 3. The right way to detect attacks is through OS-level monitoring or > firewall-level monitoring, and nothing we do in PG is going to come > close to the same value. Ok, that makes sense. Best regards, -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Incomplete startup packet errors
On Wed, Apr 13, 2016 at 10:30 AM, Tatsuo Ishiiwrote: >>> I've also seen it caused by port scanning. >> >> Yes, definitely. Question there might be if that's actually a case when we >> *want* that logging? > > Is it possible a user want the log because he/she wants to notice that > the system is being attacked? Yeah, but it doesn't seem very likely, because: 1. If the system is on the Internet, it's definitely being attacked, and 2. The attacks that connect to a port and then disconnect are not the ones you should be most worried about, and 3. The right way to detect attacks is through OS-level monitoring or firewall-level monitoring, and nothing we do in PG is going to come close to the same value. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Incomplete startup packet errors
>> I've also seen it caused by port scanning. >> > > Yes, definitely. Question there might be if that's actually a case when we > *want* that logging? Is it possible a user want the log because he/she wants to notice that the system is being attacked? -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Incomplete startup packet errors
On Wed, Apr 13, 2016 at 3:56 PM, Tom Lanewrote: > Magnus Hagander writes: > > On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan wrote: > >> On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander > >> wrote: > >>> It's fairly common to see a lot of "Incomplete startup packet" in the > >>> logfiles caused by monitoring or healthcheck connections. > > >> I've also seen it caused by port scanning. > > > Yes, definitely. Question there might be if that's actually a case when > we > > *want* that logging? > > I should think someone might. But I doubt we want to introduce another > GUC for this. Would it be okay to downgrade the message to DEBUG1 if > zero bytes were received? > > Yeah, that was my suggestion - I think that's a reasonable compromise. And yes, I agree that a separate GUC for it would be a huge overkill. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Re: [HACKERS] Incomplete startup packet errors
Magnus Haganderwrites: > On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan wrote: >> On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander >> wrote: >>> It's fairly common to see a lot of "Incomplete startup packet" in the >>> logfiles caused by monitoring or healthcheck connections. >> I've also seen it caused by port scanning. > Yes, definitely. Question there might be if that's actually a case when we > *want* that logging? I should think someone might. But I doubt we want to introduce another GUC for this. Would it be okay to downgrade the message to DEBUG1 if zero bytes were received? regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Incomplete startup packet errors
On Wed, Apr 13, 2016 at 10:24 AM, Peter Geogheganwrote: > On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander > wrote: > > It's fairly common to see a lot of "Incomplete startup packet" in the > > logfiles caused by monitoring or healthcheck connections. > > I've also seen it caused by port scanning. > Yes, definitely. Question there might be if that's actually a case when we *want* that logging? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Re: [HACKERS] Incomplete startup packet errors
On Wed, Apr 13, 2016 at 1:02 AM, Magnus Haganderwrote: > It's fairly common to see a lot of "Incomplete startup packet" in the > logfiles caused by monitoring or healthcheck connections. I've also seen it caused by port scanning. -- Peter Geoghegan -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Incomplete startup packet errors
On Wed, Apr 13, 2016 at 9:02 AM, Magnus Haganderwrote: > It's fairly common to see a lot of "Incomplete startup packet" in the > logfiles caused by monitoring or healthcheck connections. > > I wonder if it would make sense to only log that error if *at least one > byte* has been received and then it becomes empty. Meaning that if the > client just connects+disconnects without sending anything, we don't log > anything. At least at the default log level (we could have a DEBUG level > that logged "connection closed immediately"). > > That would get rid of a lot of logspam. > > Would that make sense? Absolutely. It would be very nice to get rid of such noise. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Incomplete startup packet errors
At 2016-04-13 10:02:22 +0200, mag...@hagander.net wrote: > > I wonder if it would make sense to only log that error if *at least > one byte* has been received and then it becomes empty. Yes, it would be very nice to eliminate that logspam, as you say. -- Abhijit -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers