Shulou(Shulou.com)06/01 Report--

Redis Security Specification-check list.

1. Trust the operation of the intranet to avoid public network access as far as possible

The configuration in / etc/redis/redis.conf is as follows: bind 127.0.0.1

two。 Bind the network interface for redis snooping

If the server has multiple IP, you can limit the IP that the redis server listens to. Through the redis configuration item bind, you can bind multiple IP at the same time.

3. Set up a firewall

If you need other machine access, or if slave mode is set, remember to add the appropriate firewall settings as follows:

Iptables-An INPUT-s x.x.x.x-p tcp-- dport 6379-j ACCEPT

4. Prohibit root users from starting redis

It is necessary to set up a separate redis account, and redis crackit takes advantage of the features of root users to reset authorized_keys. First create a redis account, and then start through that account.

Setsid sudo-u redis/ usr/bin/redis-server / etc/redis/redis.conf

After startup, it should be as follows:

Root@kali:~# ps-elf | grep redis1 S redis 14720 10 800-8979-08:40? 00:00:00 / usr/bin/redis-server / etc/redis/ redis.conf``

5. Restrict redis file directory access

Set the home directory permission of redis to 700. if the redis configuration file is independent of the redis home directory, the permission is revised to 600because the redis password is stored in plaintext in the configuration file.

6. Avoid using well-known ports and reduce the risk of primary scanning

In / etc/redis/redis.conf, find the line port 6379 as follows, change 6379 to 8888

7. Turn on redis password authentication and set high complexity password

Redis in the redis.conf configuration file, set the configuration item requirepass and authenticate the account opening password.

Due to the high query efficiency of redis, the command auth can be processed more than 10w times per second, and the password of a simple redis can be easily broken.

Root@kali:~# redis-cli-h 192.168.10.2redis 192.168.10.2 root@kali:~# redis-cli 6379 > keys * (error) ERR operation not permittedredis 192.168.10.2 keys 6379 > auth @ nsF0cussing the OKrootopia kaliVera Vera # echo-e "xxlegend" | sha256sumb59869cac63a67e7ee97e6923a75811ff58bd4936ed3be3480b46145d43ae335`

8. Disable or rename dangerous commands

This vulnerability uses two config/save commands to complete *. Because redis has no user permission restrictions, it is recommended that dangerous commands be disabled or renamed using rename configuration items, so that such commands cannot be executed if the outside does not know the renaming rules. The commands involved:

FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME, DEBUG, Eval`

The following example: disable FLUSHDB and FLUSHALL commands in redis.config file; rename CONFIG and SHUTDOWN commands to add a special suffix. After redis starts, you can only run the CONFIG_b9fc8327c4dee7 command, not the CONFIG command.

Rename-command CONFIG CONFIG_b9fc8327c4dee7rename-command SHUTDOWN SHUTDOWN_b9fc8327c4dee7rename-command FLUSHDB "" rename-command FLUSHALL ""

The above configuration sets config,flushdb,flushall to empty, that is, to disable the command, or we can name it some names that are difficult for people to guess but easy for us to remember. After saving, execute / etc/init.d/redis-server restart restart takes effect.

9. Prohibit the storage of sensitive plaintext data in redis

Redis is designed to provide high-performance KV services, at least for now, in terms of access control and data persistence. So it is forbidden to store or cache sensitive plaintext data in Redis

10. Safety monitoring and control

Establish honeypot network, if you try, you can find it in time.

Monitor redis security status, cmdstat_auth cmdstat_flushdb/flushall monitor alarm

Digression:

Redis cluster does not support password issues

The latest version 3.2 of redis native cluster mode does not support enabling password authentication. As a result, the private network can only be used without a password, and the security of the private network redis cluster can only be ensured through other previous security settings.

In view of the previous redis version, there is a great security risk when there is no bind and password setting by default. Redis version 3.2 proposes a new feature protected mode. If redis is started without bind and password settings, it can only be accessed locally through the local loopback address. If you try to access redis remotely, you will be prompted:

DENIED Redis is running protected mode because protected mode is enabled

No bind address was specified, no authentication password is requested to clients.

In this mode connections are only accepted from the loopback interface.

Of course, you can also directly execute the CONFIG SET protected mode no off protection mode.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.