The exploit enables uploading SSH keys into redis and then dumping the same into the authorized_keys file.Immediate steps to be taken to protect against the exploit :
- Bind redis to 127.0.0.1 if it is only being connected to locally or atleast only bind to the private network IP. In redis.conf , set the bind parameter and restart redis server:
bind 127.0.0.1If at all redis server needs public access, use iptables to restrict the redis port to specific IPs.2. Run redis server as a non-root user which does not have any shell access. This is very important because the attacker cannot gain root privileges and cannot use a login shell.3. Enable authentication in redis and use AUTH for all connections [2] .
- Add to redis.conf a random password :requirepass "averylongrandompassword"
- Configure your redis client to use AUTH for every connection :
AUTH
- Restart redis server.
4. Secure the data directory and config files :chmod 0600 /path/to/redis.confchown /path/to/redis/datadirchmod 0700 /path/to/redis/datadirFurther recommended steps :
- For another layer of security, use stunnel to proxy encrypted data to and from redis.
- Disable commands that are not used, that could be dangerous like FLUSHALL or FLUSHDB in the config file or rename it to a random string:
rename-command FLUSHDB ""rename-command FLUSHALL ""rename-command CONFIG averylonghardtoguessstring]]>Check the pricing of our offerings here