Shulou(Shulou.com)05/31 Report--

Today, I would like to share with you the relevant knowledge points of Redis cache database reinforcement measures, which are detailed in content and clear in logic. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article.

Sensitive data and encryption Protection

1. Password preservation (important)

Security issues: native Redis server passwords requirepass and masterauth are stored in plaintext to redis.conf.

Solution: the server password is encrypted by PBKDF2 and saved to redis.conf.

Considering the performance problem, it is time-consuming to use PBKDF2 for each authentication. After review, SHA256 cache is used for memory after the first authentication is successful, and SHA256 verification is preferred for subsequent requests.

two。 Support for key replacement (important)

Security issues: keys involving encryption and decryption cannot be written into the code.

Solution: the secret key supports periodic replacement.

➤ redis server redis-server:

Configuration file added configuration item: cipher-dir

Configure the full path of the folder where redis_shared.key and root.key are located, for example: cipher-dir / opt/redis/etc/cipher

➤ redis client: redis-cli

Add the parameter-cipherdir, pointing to the full path of the folder where redis_shared.key and root.key are located

For example: redis-cli-h 127.0.0.1-cipherdir / opt/redis/etc/cipher-a sessionrdb@dbuser@Changeme_123-p 32091

➤ redis client SDK:jedis*.jar

Within the same process, the Jedis interface is string, dbname@user@pwd, because the third-party interface (similar to Jdbc) cannot be encrypted.

3. Password transmission (important)

Security issues: native Redis may obtain server-side sensitive information through the config get command.

Solution: do not transmit sensitive information such as passwords to the client, so you need to disable functions such as config get requirepas/masterauth/requireuserpass.

4. Password modification (important)

Security issues: change password plaintext transmission: config set masterauth pwd

Solution: Redis memory saves plaintext password problem: masterauth is encrypted by AES128, password is saved by AES128

Password security

1. The product enables database password complexity check by default

Security issues: there is no complexity check for Redis changing passwords.

Solution: provide a separate Redis modification tool to change the password, pay special attention to the following:

1. Check the password complexity.

2. When entering the wrong user name or password, there should be no excessively explicit reason prompts such as "password error" and "user name does not exist" to prevent attackers from using it to guess the system user name / password.

3. To change the password, check the old password.

4. Changing the database password cannot be the same as the user name.

5. Hide the password when changing the interactive password.

6. It is recommended to change the password interactively in the document.

two。 To prevent brute force cracking, configure the number of failed login attempts of the account

Security issue: there is a brute force cracking condition in the native version of Redis.

Solution: maximum number of failures: maxauthfailtimes (unit, valid range (0, 100000], default is 10, 000)

Note: this configuration item only supports redis.conf configuration at startup, but does not support dynamic modification. The corresponding config set is blocked.

Setting to 0 is not supported: no IP is locked.

3. Configure the automatic unlocking time after the account is locked

Lock time for authentication failure: authfaillocktime (in minutes, valid range [0,999], default value is 10)

When set to 0, it is permanently locked.

Note: this configuration item only supports redis.conf configuration at startup, but does not support dynamic modification. The corresponding config set is blocked.

4. View locked IP

Problem: after the IP is locked, you need to check the locked IP.

Solution:

Only the administrator can view the list of locked IP with the separator colon (:)

Sample 1:config get lockedips

Return: 10.67.147.111bot 10.67.147.112

Sample 2:config get lockedips

Return: 10.67.147.111

Description: config set lockedips is not supported. If it is enforced, an error is returned: ERR Unsupported CONFIG parameter: lockedips

5. Release of manual lock IP

Only the administrator can execute the command to unlock the locked IP. Only a single IP or all IP can be unlocked.

Solution:

Example 1, unlock a single IP:config set unlockips 10.67.147.111

Example 2, unlock all IP:config set unlockips "all"

Note: config get unlockips is not supported. If enforced, null will be returned. Redis-cli prompt: (empty list or set)

If there is no exception to the IP in the parameter, a failure to unlock is returned, for example:

(error) ERR Invalid argument '10.67.147.111' for CONFIG SET 'unlockips'

Perform manual unlocking and record the trace, for example:

For example: 26 Dec 03 1519.958 * 10.67.147.113 unlocked by 10.67.147.111v 59417 log audit

6. Security audit

1.Redis itself supports logging to the system log, such as / var/log/localmessage. However, you need to configure the following in redis.conf:

Syslog-enabled yes

Syslog-ident redis

Syslog-facility local0

two。 Client login, record client IP, account number and other information.

3. The relevant maintenance operations must be logged in detail.

Example: 29118 S 26 Nov 11 V 19V 29.100 * The readdbuser logged in successfully;10.145.93.119:52817

7. Operation log dump

Security issues: the official version of Redis logs will not be dumped, and running for a long time may fill the disk.

Solution: run the tracemonitor process (python version) separately to manage the Redis log file size on a regular basis, mainly log compression and periodic deletion to avoid taking up too many disks.

Description: at present, the platform defaults to detect once in 60 seconds, the log is compressed to 20m, and the maximum number of logs is 50.

These are all the contents of the article "what are the reinforcement measures for Redis cached database?" Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.