By @lukebakken: Suppress spurious warnings from port scanner connections#15715
Merged
michaelklishin merged 4 commits intomainfrom Mar 12, 2026
Merged
By @lukebakken: Suppress spurious warnings from port scanner connections#15715michaelklishin merged 4 commits intomainfrom
michaelklishin merged 4 commits intomainfrom
Conversation
Port scanners and other non-RabbitMQ clients connecting to the stream
port send arbitrary data before any authentication takes place. The
resulting `{unknown, Data}` commands are expected and not actionable,
so logging them at warning level is unnecessarily noisy.
Add a specific clause for `{unknown, _}` in `handle_frame_pre_auth/4`
that logs at debug level. The existing warning-level catch-all remains
for any other genuinely unexpected pre-auth commands.
Also add a specific clause for `{unknown, _}` in
`handle_frame_post_auth/4` with a clearer log message, and extract
`send_close_and_increment/2` to eliminate the resulting duplication.
Two sources of noise in the logs when port scanners connect to the
stream port:
1. Unrecognised pre-auth data was logged at warning level. Since this
is expected from port scanners and other non-RabbitMQ clients, add a
specific `{unknown, _}` clause in `handle_frame_pre_auth/4` that
logs at debug level instead. The existing warning-level catch-all
remains for any other unexpected pre-auth commands.
Also add a specific `{unknown, _}` clause in
`handle_frame_post_auth/4` with a clearer log message, and extract
`send_close_and_increment/2` to eliminate the resulting duplication.
2. When incoming data does not contain a complete frame (e.g. a port
scanner sends fewer bytes than a full frame header), no commands are
parsed and `connection_step` remains unchanged. The pre-`open`
state handlers treated this as an invalid transition and logged a
warning. Add a guard in each of the five pre-`open` state handlers
(`tcp_connected`, `peer_properties_exchanged`, `authenticating`,
`tuning`, `tuned`) that returns `keep_state` when
`NextConnectionStep` equals the current state, waiting for more
data. The existing negotiation timeout will still close connections
that make no progress.
michaelklishin
added a commit
that referenced
this pull request
Mar 12, 2026
By @lukebakken: Suppress spurious warnings from port scanner connections (backport #15715)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is #15713 by @lukebakken with one extra test added by me.