Shulou(Shulou.com)06/03 Report--

Redis (full name: Remote Dictionary Server remote Dictionary Service) is an open source API that is written in ANSI C language, supports the network, can be memory-based and persistent, and provides multi-language API.

Vulnerability description

Redis has an unauthorized access vulnerability due to improper configuration and can be maliciously exploited.

Under certain conditions, if Redis runs as root, write the SSH public key file to the root account and log in to the victimized server directly through SSH, thus obtaining server permissions and data. Once successful, an account can be directly added to the SSH remote login control server, which brings security risks to the user's Redis running environment and Linux host, such as deleting, leaking or encrypting important data, causing blackmail events, and so on.

Affected area

On the Redis client, test whether Redis sets the password:

Root@kali:~# redis-cli-h 10.16.10.2redis 10.16.10.2 keys 6379 > keys * 1) "1" `

As can be seen from the login results, the Redis service is open to the public network, and authentication is not enabled.

Repair scheme

No eavesdropping on the public network

Specify the network card used by the Redis service

By default, Redis listens on 127.0.0.1. If it is only local communication, make sure that the monitoring is local.

This approach mitigates the risk of unauthorized access to Redis to some extent (exceptionally, if Redis is run as a root user, with the help of an existing webshell, you can use that Redis to bounce back shell to achieve entitlement).

Find # bind 127.0.0.1 in the redis.conf file, remove the previous #, and save it.

This operation requires a restart of Redis to take effect.

After modification, only the native Redis can be accessed, or you can specify the access source IP to access the Redis.

Bind 192.168.1.100 10.0.0.1

Modify the default port 6379

Port 6377

Edit the configuration file redis.conf of the file redis, find the line containing port, change the default 6379 to the custom port number, and restart `redis to take effect `

Set firewall policy

If the Redis service needs to be accessed by other servers in normal business, you can use the iptables policy to allow only the specified IP to access the Redis service.

Iptables-An INPUT-s x.x.x.x-p tcp-- dport 6379-j ACCEPT

Account number and authentication

Set the access password: find the requirepass field in redis.conf, uncomment it, and fill in the required password later. The Redis client also needs this password to access the Redis service.

Open the / etc/redis/redis.conf configuration file:

Requirepass www.dgstack.cn12332 percent percent

Ensure the complexity of the password. Restart the service after configuration.

Minimization of service operation permissions

Use root to switch to redis user to start the service:

Useradd-s / sbin/nolog-M redis sudo-u redis / / redis-server / / redis.conf

Note: this operation requires a restart of Redis to take effect.

Disable or rename dangerous commands

Hide important commands: Redis has no right to separate, and there is no obvious difference between its administrator account and ordinary account. You can do anything after logging in, so you need to hide the following important commands: FLUSHDB, FLUSHALL, KEYS,PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME,DEBUG.

In addition, a sandbox escape vulnerability exists in Redis 2.8.1 and Redis 3.x (less than 3.0.2) through which arbitrary Lua code can be executed.

The following configuration sets config/flushdb/flushall to empty, which disables the command; it can also be set to some complex, hard-to-guess name.

Rename-command FLUSHALL "" rename-command FLUSHDB "" rename-command CONFIG "" rename-command KEYS "" rename-command SHUTDOWN "" rename-command DEL "" rename-command ""

Then restart redis.

Renaming to "" means to disable the command. If you want to keep the command, you can rename it to a string that cannot be guessed, such as:

Rename-command FLUSHALL joYAPNXRPmcarcR4ZDgC

Turn on protected mode

Redis enables protected mode by default. If bind and password are not specified in the configuration, when this parameter is enabled, redis can only be accessed locally and external access is denied.

Redis.conf security settings: # turn on protected mode protected-mode yes

Security patch

Pay regular attention to the latest software version and upgrade Redis to the latest version in time to prevent new vulnerabilities from being maliciously exploited.

The idea of troubleshooting virus (mining virus)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.