Suppress spurious warnings from port scanner connections#15713
Merged
michaelklishin merged 2 commits intorabbitmq:mainfrom Mar 12, 2026
Merged
Suppress spurious warnings from port scanner connections#15713michaelklishin merged 2 commits intorabbitmq:mainfrom
michaelklishin merged 2 commits intorabbitmq:mainfrom
Conversation
Port scanners and other non-RabbitMQ clients connecting to the stream
port send arbitrary data before any authentication takes place. The
resulting `{unknown, Data}` commands are expected and not actionable,
so logging them at warning level is unnecessarily noisy.
Add a specific clause for `{unknown, _}` in `handle_frame_pre_auth/4`
that logs at debug level. The existing warning-level catch-all remains
for any other genuinely unexpected pre-auth commands.
Also add a specific clause for `{unknown, _}` in
`handle_frame_post_auth/4` with a clearer log message, and extract
`send_close_and_increment/2` to eliminate the resulting duplication.
Two sources of noise in the logs when port scanners connect to the
stream port:
1. Unrecognised pre-auth data was logged at warning level. Since this
is expected from port scanners and other non-RabbitMQ clients, add a
specific `{unknown, _}` clause in `handle_frame_pre_auth/4` that
logs at debug level instead. The existing warning-level catch-all
remains for any other unexpected pre-auth commands.
Also add a specific `{unknown, _}` clause in
`handle_frame_post_auth/4` with a clearer log message, and extract
`send_close_and_increment/2` to eliminate the resulting duplication.
2. When incoming data does not contain a complete frame (e.g. a port
scanner sends fewer bytes than a full frame header), no commands are
parsed and `connection_step` remains unchanged. The pre-`open`
state handlers treated this as an invalid transition and logged a
warning. Add a guard in each of the five pre-`open` state handlers
(`tcp_connected`, `peer_properties_exchanged`, `authenticating`,
`tuning`, `tuned`) that returns `keep_state` when
`NextConnectionStep` equals the current state, waiting for more
data. The existing negotiation timeout will still close connections
that make no progress.
lukebakken
commented
Mar 12, 2026
| fun(NextConnectionStep, | ||
| #statem_data{transport = Transport, | ||
| connection = #stream_connection{socket = S}} = | ||
| StatemData, |
Collaborator
Author
There was a problem hiding this comment.
FYI I re-formatted these functions using = in neovim.
michaelklishin
added a commit
that referenced
this pull request
Mar 12, 2026
mergify bot
pushed a commit
that referenced
this pull request
Mar 12, 2026
(cherry picked from commit b69c014)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #15703, which fixed a crash when port scanners connect to the stream port. That fix revealed two remaining sources of log noise:
1. Unrecognised pre-auth data logged at warning level
handle_frame_pre_auth/4had a catch-all that logged{unknown, Data}at warning level. Since this is expected from port scanners and other non-RabbitMQ clients, a specific{unknown, _}clause is added that logs at debug level instead. The existing warning-level catch-all remains for any other unexpected pre-auth commands.A specific
{unknown, _}clause is also added tohandle_frame_post_auth/4with a clearer log message (post-auth unrecognised data is more noteworthy and stays at warning).send_close_and_increment/2is extracted to eliminate the resulting duplication.2. Spurious "invalid transition" warnings from partial frames
When incoming data does not contain a complete frame (e.g. a port scanner sends fewer bytes than a full frame header), no commands are parsed and
connection_stepremains unchanged. The five pre-openstate handlers (tcp_connected,peer_properties_exchanged,authenticating,tuning,tuned) treated this as an invalid transition and logged a warning.A guard is added to each handler that returns
keep_statewhenNextConnectionStepequals the current state name, correctly waiting for more data. The existing negotiation timeout will still close connections that make no progress.