As of last week suddenly gunicorn is grabbing various UDP ports.
Problem is we need to justify every port. I can’t find anyplace to disable nor restrict these. The only mention I find for gunicorn is disabling syslog redirect, which wouldn’t explain why it’s popping up on multiple UDP ports.
# netstat -tulpn |grep unicorn
tcp6 0 0 :::8001 :::* LISTEN 3112699/gunicorn: m
udp 0 0 0.0.0.0:51499 0.0.0.0:* 3112785/gunicorn: w
udp 0 0 0.0.0.0:52270 0.0.0.0:* 3112785/gunicorn: w
udp 0 0 0.0.0.0:52272 0.0.0.0:* 3112785/gunicorn: w
udp 0 0 0.0.0.0:53322 0.0.0.0:* 3112785/gunicorn: w
When I restart OMD it stops, then in a couple of days it’s back on completely different UDP ports.
Looking at $OMD_ROOT/var/log/agent-receiver/access.log
it appears the traffic is coming from what looks like one of our vulnerability scanners, apparently someone decided to fire up a new scanner and it’s making hamhanded get requests to the gunicorn port.
::ffff::50972 - “GET /cgis/IP360nCircle.nCircleIP360?nCircle=nCircle&IP360=IP360 HTTP/1.0” 404
::ffff::50976 - “GET /cgis/nCircleelcriCn.ip360 HTTP/1.0” 404
::ffff::50986 - “GET /cgis HTTP/1.0” 404
::ffff::51024 - “GET /htbin/IP360nCircle.nCircleIP360?nCircle=nCircle&IP360=IP360 HTTP/1.0” 404
::ffff::51080 - “GET /htbin/nCircleelcriCn.ip360 HTTP/1.0” 404
::ffff::51112 - “GET /htbin HTTP/1.0” 404
The error_log has a bunch like this:
[2026-01-15 11:26:09 -0500] [3012115] [INFO] Application startup complete.
[2026-01-15 12:36:58 -0500] [3012115] [WARNING] Invalid HTTP request received.
[2026-01-15 12:36:58 -0500] [3012115] [WARNING] Invalid HTTP request received.
[2026-01-15 12:36:58 -0500] [3012115] [WARNING] Invalid HTTP request received.
[2026-01-15 12:36:58 -0500] [3012115] [WARNING] Invalid HTTP request received.
[2026-01-15 12:36:58 -0500] [3012115] [WARNING] Invalid HTTP request received.
[2026-01-15 12:36:58 -0500] [3012115] [ERROR] Exception in ASGI application
Traceback (most recent call last):
File “/omd/sites/prod/lib/python3.12/site-packages/uvicorn/protocols/http/h11_impl.py”, line 403, in run_asgi
result = await app( # type: ignore[func-returns-value]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/omd/sites/prod/lib/python3.12/site-packages/uvicorn/middleware/proxy_headers.py”, line 60, in call
return await self.app(scope, receive, send)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/omd/sites/prod/lib/python3.12/site-packages/fastapi/applications.py”, line 1054, in call
await super().call(scope, receive, send)
File “/omd/sites/prod/lib/python3.12/site-packages/starlette/applications.py”, line 113, in call
await self.middleware_stack(scope, receive, send)
File “/omd/sites/prod/lib/python3.12/site-packages/starlette/middleware/errors.py”, line 186, in call
raise exc
Is this a case of it receiving this garbage and trying to process it like a TLS registration from a client? if so I’m desirous of disabling that client autoregistration, as I don’t Want it anyway. Because of our non-internet-connected, heavily segmented and firewalled environment we Only use pull, no pushes as well.
Obviously I’m missing a lot here, anyone have any…. input on how to make these stop aside from firewalling the hamhanded scanner? What is even going on here? I feel like I’m probably missing something basic or stupid, if so apologies.
Thanks for any assist