Join the community today
Become a Member

Security Over 6,000 Redis Database Servers Ready for the Taking

Discussion in 'All Internet & Web Performance News' started by Jimmy, Jul 9, 2016.

  1. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    4:18 PM
    1.13.x
    MariaDB 10.1.x
    Over 6,000 Redis Database Servers Ready for the Taking

    "The total disregard for any security features in the creation of the Redis database server has come around to haunt the project years after, as Risk Based Security (RBS) reports discovering 6,338 compromised Redis servers."
     
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    6:18 AM
    Nginx 1.13.x
    MariaDB 5.5
    Also another reason why a firewall is needed like CSF Firewall which is installed by Centmin Mod out of the box.

    from A few things about Redis security - <antirez> posted 249+ days ago
    Redis Security – Redis

     
    • Informative Informative x 1
  3. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    6:18 AM
    Nginx 1.13.x
    MariaDB 5.5
    and New security feature: Redis protected mode. : redis
     
    • Informative Informative x 1
  4. Revenge

    Revenge Active Member

    288
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +227
    Local Time:
    9:18 PM
    1.9.x
    10.1.x
    In terms of security, Memcached does not suffer from similar issues?
     
  5. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    4:18 PM
    1.13.x
    MariaDB 10.1.x
    I was thinking the same thing earlier, but didn't get a chance to post it yet. I'm not using Redis with IPB.
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    6:18 AM
    Nginx 1.13.x
    MariaDB 5.5
    I believe out of box the difference is redis does not bind to 127.0.0.1 unless you enable it in redis.conf while memcached out of box binds to 127.0.01
     
    • Informative Informative x 1
  7. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    6:18 AM
    Nginx 1.13.x
    MariaDB 5.5
    i believe redis.conf does now though http://download.redis.io/redis-stable/redis.conf ?

    or it's a redis 3.2+ thing
    Code (Text):
    ################################## NETWORK #####################################
    
    # By default, if no "bind" configuration directive is specified, Redis listens
    # for connections from all the network interfaces available on the server.
    # It is possible to listen to just one or multiple selected interfaces using
    # the "bind" configuration directive, followed by one or more IP addresses.
    #
    # Examples:
    #
    # bind 192.168.1.100 10.0.0.1
    # bind 127.0.0.1 ::1
    #
    # ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
    # internet, binding to all the interfaces is dangerous and will expose the
    # instance to everybody on the internet. So by default we uncomment the
    # following bind directive, that will force Redis to listen only into
    # the IPv4 lookback interface address (this means Redis will be able to
    # accept connections only from clients running into the same computer it
    # is running).
    #
    # IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
    # JUST COMMENT THE FOLLOWING LINE.
    # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    bind 127.0.0.1
    
    # Protected mode is a layer of security protection, in order to avoid that
    # Redis instances left open on the internet are accessed and exploited.
    #
    # When protected mode is on and if:
    #
    # 1) The server is not binding explicitly to a set of addresses using the
    #    "bind" directive.
    # 2) No password is configured.
    #
    # The server only accepts connections from clients connecting from the
    # IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
    # sockets.
    #
    # By default protected mode is enabled. You should disable it only if
    # you are sure you want clients from other hosts to connect to Redis
    # even if no authentication is configured, nor a specific set of interfaces
    # are explicitly listed using the "bind" directive.
    protected-mode yes
     
    • Like Like x 1
  8. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    6:18 AM
    Nginx 1.13.x
    MariaDB 5.5
    checking an old copy of my redis 2.8.7 epel installed redis.conf and bind is enabled too
    Code (Text):
    # By default Redis listens for connections from all the network interfaces
    # available on the server. It is possible to listen to just one or multiple
    # interfaces using the "bind" configuration directive, followed by one or
    # more IP addresses.
    #
    # Examples:
    #
    # bind 192.168.1.100 10.0.0.1
    bind 127.0.0.1
    

    So problem that article was suggesting is probably folks who need remote redis server access are disabling bind to 127.0.0.1 and just leaving redis port and server wide open instead of properly firewalling their redis server which is what Redis Security – Redis is outlining

    CSF Firewall has advanced features to just whitelist a specific ip on a specific port CSF - CSF Firewall info | Centmin Mod Community

    i.e.
    # TCP connections inbound to port 6379 on redis server from IP 11.22.33.44 web server. Add to /etc/csf.allow
    Code (Text):
    tcp|in|d=6379|s=11.22.33.44
    

    and then restart csf firewall
    Code (Text):
    csf -r
     
    Last edited: Jul 10, 2016
  9. RoldanLT

    RoldanLT Well-Known Member

    3,901
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    4:18 AM
    1.11
    10.2
    I already have this:
    Code:
    # By default Redis listens for connections from all the network interfaces
    # available on the server. It is possible to listen to just one or multiple
    # interfaces using the "bind" configuration directive, followed by one or
    # more IP addresses.
    #
    # Examples:
    #
    # bind 192.168.1.100 10.0.0.1
    # bind 127.0.0.1
    bind 127.0.0.1
    
    
    I'll assume I'm fine with that :D.
     
  10. eva2000

    eva2000 Administrator Staff Member

    30,156
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    6:18 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah bind + csf firewall :)
     
    • Like Like x 1