search by tags

for the user

adventures into the land of the command line

redis security

not long ago my redis server got hacked! so cool! the reason was cos i’m a total n00b, but now i know. i had a read of this by the creator of redis, where he basically tells you how to break in to a default redis install. this is what happened to me.

the guy managed to use redis’s CONFIG command to rename the data dir and the dbdump.rdb file to authorized_keys. when i looked inside the .rdb file, it contained his ssh public key, amongst other things.

my appendonly.aof file also contained the steps he ran to get to there

*1
$8
flushall
*3
$3
set
$7
crackit
$411
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzb6NvQuEzHZF1Q/Ftpdgagd1PncMVsSo813wlmF6AKb6hxAgNgTlh/Jn6l8tmi5QEnIi6hVzA9nbBhNApvGLlIWB4R0WHzj3WDiJVN9GwLYsFICIQNlJkjawsJOSR3R0097zOVj0tL0wOpAr3L+yRD2KpTa8if40zrciPsJqkw6mhblhazsOkH7bTfbIdEDNkQZxkpSuho1/OtglSi1hk3HyqbbtKre5P5YkKc12HDv1r83X+bRidKgjez0k4HsLpP3eYywiIvTvvWBY3r3nb9SvXAVCbBLsIonC1YPYCR5hwhOeVUqcbwAoqwXZXbwf6SzkbWLkcQSMyQDQroQCLQ== [email protected]

then he just simply ssh'ed in. nice

so the first things antirez recommends is to make sure redis is only listening on specific ips and not everything, set AUTH and also remove important commands like CONFIG and FLUSHALL. so how do we do that?

to get redis to listen only to specific ips, edit the config file with info like this

$ vim /etc/redis_instance1.conf

# If you want you can bind a single interface, if the bind option is not
# specified all the interfaces will listen for incoming connections.
#
bind 127.0.0.1 more_ips_you_want_to_accept_communications_from

to set auth, also edit the config file in the SECURITY section like this

######## SECURITY ########

requirepass some_very_long_unguessable_password

then in your application (I’m using py-Redis with flask), when you create the connection to the db, pass in the password required to authenticate:

redis_db = redis.Redis(host=redis_host_ip, port=redis_port, password=redis_auth_password)

to remove important commands, in the same SECURITY section

######## SECURITY ########

rename-command CONFIG ""
rename-command FLUSHALL ""
rename-command FLUSHADB ""

you can also rename them to something else if you want

finally, remember to restart the server to apply the changes

$ /etc/init.d/redis_instance1 restart