Security Over 6,000 Redis Database Servers Ready for the Taking

Jimmy · Jul 9, 2016

Over 6,000 Redis Database Servers Ready for the Taking

"The total disregard for any security features in the creation of the Redis database server has come around to haunt the project years after, as Risk Based Security (RBS) reports discovering 6,338 compromised Redis servers."

eva2000 · Jul 9, 2016

Also another reason why a firewall is needed like CSF Firewall which is installed by Centmin Mod out of the box.

from A few things about Redis security - <antirez> posted 249+ days ago

IMPORTANT EDIT: Redis 3.2 security improved by implementing protected mode. You can find the details about it here: New security feature: Redis protected mode. : redis

From time to time I get security reports about Redis. It’s good to get reports, but it’s odd that what I get is usually about things like Lua sandbox escaping, insecure temporary file creation, and similar issues, in a software which is designed (as we explain in our security page here Redis Security – Redis) to be totally insecure if exposed to the outside world.

Yet these bug reports are often useful since there are different levels of security concerning any software in general and Redis specifically. What you can do if you have access to the database, just modify the content of the database itself or compromise the local system where Redis is running?

How important is a given security layer in a system depends on its security model. Is a system designed to have untrusted users accessing it, like a web server for example? There are different levels of authorization for different kinds of users?

The Redis security model is: “it’s totally insecure to let untrusted clients access the system, please protect it from the outside world yourself”. The reason is that, basically, 99.99% of the Redis use cases are inside a sandboxed environment. Security is complex. Adding security features adds complexity. Complexity for 0.01% of use cases is not great, but it is a matter of design philosophy, so you may disagree of course.

The problem is that, whatever we state in our security page, there are a lot of Redis instances exposed to the internet unintentionally. Not because the use case requires outside clients to access Redis, but because nobody bothered to protect a given Redis instance from outside accesses via fire walling, enabling AUTH, binding it to 127.0.0.1 if only local clients are accessing it, and so forth.
Click to expand...

Redis Security – Redis
Redis general security model
Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.

For instance, in the common context of a web application implemented using Redis as a database, cache, or messaging system, the clients inside the front-end (web side) of the application will query Redis to generate pages or to perform operations requested or triggered by the web application user.

In this case, the web application mediates access between Redis and untrusted clients (the user browsers accessing the web application).

This is a specific example, but, in general, untrusted access to Redis should always be mediated by a layer implementing ACLs, validating user input, and deciding what operations to perform against the Redis instance.

In general, Redis is not optimized for maximum security but for maximum performance and simplicity.

Network security
Access to the Redis port should be denied to everybody but trusted clients in the network, so the servers running Redis should be directly accessible only by the computers implementing the application using Redis.

In the common case of a single computer directly exposed to the internet, such as a virtualized Linux instance (Linode, EC2, ...), the Redis port should be firewalled to prevent access from the outside. Clients will still be able to access Redis using the loopback interface.

Note that it is possible to bind Redis to a single interface by adding a line like the following to the redis.conf file:
Code (Text):
bind 127.0.0.1
Failing to protect the Redis port from the outside can have a big security impact because of the nature of Redis. For instance, a single FLUSHALL command can be used by an external attacker to delete the whole data set.

Protected mode
Unfortunately many users fail to protect Redis instances from being accessed from external networks. Many instances are simply left exposed on the internet with public IPs. For this reasons since version 3.2.0, when Redis is executed with the default configuration (binding all the interfaces) and without any password in order to access it, it enters a special mode called proteced mode. In this mode Redis only replies to queries from the loopback interfaces, and reply to other clients connecting from other addresses with an error, explaining what is happening and how to configure Redis properly.

We expect protected mode to seriously decrease the security issues caused by unprotected Redis instances executed without proper administration, however the system administrator can still ignore the error given by Redis and just disable protected mode or manually bind all the interfaces.
Click to expand...

eva2000 · Jul 9, 2016

and New security feature: Redis protected mode. : redis

As you know we got several problems from unprotected Redis instances exposed to the internet. I covered the reason why a restrictive binding to 127.0.0.1 by default may be an usability concern and, even worse, may not fix the problem (hey just comment the "bind" statement and restart!) in my blog post. The same blog post introduced an attack that was heavily used by script kiddies to break into Redis instances (serious security researchers where already able to do this, I guess). So I finally decided to do something before Redis 3.2 official release: Protected mode is the result and will be merged into 3.2 RC2.

The feature is already available in the unstable branch, introduced by this commit. This is how it works.

If and only if:

Protected mode is enabled (this is the default both in the configuration file and in the configless default).

AND IF No AUTH password is configured.

AND IF No "bind" directive is used in order to restrict Redis to certain interfaces.

Then Redis only accepts connections from the loopback IPv4 and IPv6 addresses.
Click to expand...

Revenge · Jul 10, 2016

In terms of security, Memcached does not suffer from similar issues?

Jimmy · Jul 10, 2016

Revenge said: ↑

In terms of security, Memcached does not suffer from similar issues?
Click to expand...

I was thinking the same thing earlier, but didn't get a chance to post it yet. I'm not using Redis with IPB.

eva2000 · Jul 10, 2016

I believe out of box the difference is redis does not bind to 127.0.0.1 unless you enable it in redis.conf while memcached out of box binds to 127.0.01

eva2000 · Jul 10, 2016

i believe redis.conf does now though http://download.redis.io/redis-stable/redis.conf ?

or it's a redis 3.2+ thing

Code (Text):

################################## NETWORK #####################################

# By default, if no "bind" configuration directive is specified, Redis listens
# for connections from all the network interfaces available on the server.
# It is possible to listen to just one or multiple selected interfaces using
# the "bind" configuration directive, followed by one or more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
# bind 127.0.0.1 ::1
#
# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
# internet, binding to all the interfaces is dangerous and will expose the
# instance to everybody on the internet. So by default we uncomment the
# following bind directive, that will force Redis to listen only into
# the IPv4 lookback interface address (this means Redis will be able to
# accept connections only from clients running into the same computer it
# is running).
#
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
# JUST COMMENT THE FOLLOWING LINE.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
bind 127.0.0.1

# Protected mode is a layer of security protection, in order to avoid that
# Redis instances left open on the internet are accessed and exploited.
#
# When protected mode is on and if:
#
# 1) The server is not binding explicitly to a set of addresses using the
#    "bind" directive.
# 2) No password is configured.
#
# The server only accepts connections from clients connecting from the
# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
# sockets.
#
# By default protected mode is enabled. You should disable it only if
# you are sure you want clients from other hosts to connect to Redis
# even if no authentication is configured, nor a specific set of interfaces
# are explicitly listed using the "bind" directive.
protected-mode yes

eva2000 · Jul 10, 2016

checking an old copy of my redis 2.8.7 epel installed redis.conf and bind is enabled too
Code (Text):
# By default Redis listens for connections from all the network interfaces
# available on the server. It is possible to listen to just one or multiple
# interfaces using the "bind" configuration directive, followed by one or
# more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
bind 127.0.0.1
So problem that article was suggesting is probably folks who need remote redis server access are disabling bind to 127.0.0.1 and just leaving redis port and server wide open instead of properly firewalling their redis server which is what Redis Security – Redis is outlining

CSF Firewall has advanced features to just whitelist a specific ip on a specific port CSF - CSF Firewall info | Centmin Mod Community

i.e.
# TCP connections inbound to port 6379 on redis server from IP 11.22.33.44 web server. Add to /etc/csf.allow
Code (Text):
tcp|in|d=6379|s=11.22.33.44
and then restart csf firewall
Code (Text):
csf -r

rdan · Jul 20, 2016

I already have this:

Code:

# By default Redis listens for connections from all the network interfaces
# available on the server. It is possible to listen to just one or multiple
# interfaces using the "bind" configuration directive, followed by one or
# more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
# bind 127.0.0.1
bind 127.0.0.1

I'll assume I'm fine with that

.

eva2000 · Jul 20, 2016

yeah bind + csf firewall

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Security Over 6,000 Redis Database Servers Ready for the Taking

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Security Over 6,000 Redis Database Servers Ready for the Taking

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Revenge Active Member

Jimmy Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

.