The exploit enables uploading SSH keys into redis and then dumping the same into the authorized_keys file. Immediate steps to be taken to protect against the exploit :
- Bind redis to 127.0.0.1 if it is only being connected to locally or at least only bind to the private network IP. In redis.conf, set the bind parameter and restart redis server:
bind 127.0.0.1 If at all redis server needs public access, use iptables to restrict the redis port to specific IPs.
2. Run redis server as a non-root user which does not have any shell access. This is very important because the attacker cannot gain root privileges and cannot use a login shell. 3. Enable authentication in redis and use AUTH for all connections.- Add to redis.conf a random password :
requirepass "averylongrandompassword"
- Configure your redis client to use AUTH for every connection :
AUTH
- Restart redis server.
4. Secure the data directory and config files :chmod 0600 /path/to/redis.confchown /path/to/redis/datadirchmod 0700 /path/to/redis/datadir
- For another layer of security, use stunnel to proxy encrypted data to and from redis.
- Disable commands that are not used, that could be dangerous like FLUSHALL or FLUSHDB in the config file or rename it to a random string:
rename-command FLUSHDB ""rename-command FLUSHALL ""rename-command CONFIG averylonghardtoguessstring
Check the pricing of our offerings here
