Redis Security

We are seeing instances of redis servers exposed to the internet without any authentication, being targeted by attackers utilizing a simple exploit method described on the official redis blog [3].

The exploit enables uploading SSH keys into redis and then dumping the same into the authorized_keys file.
Immediate steps to be taken to protect against the exploit :

  1. Bind redis to 127.0.0.1 if it is only being connected to locally or atleast only bind to the private network IP. In redis.conf , set the bind parameter and restart redis server:

bind 127.0.0.1

If at all redis server needs public access, use iptables to restrict the redis port to specific IPs.

2.  Run redis server as a non-root user which does not have any shell access. This is very important because the                  attacker cannot gain root privileges and cannot use a login shell.

3.  Enable authentication in redis and use AUTH for all connections [2] .

  • Add to redis.conf a random password :
    requirepass “averylongrandompassword”
  • Configure your redis client to use AUTH for every connection :

AUTH

  • Restart redis server.

4. Secure the data directory and config files :

chmod 0600 /path/to/redis.conf
chown /path/to/redis/datadir
chmod 0700 /path/to/redis/datadir

Further recommended steps :

  1. For another layer of security, use stunnel to proxy encrypted data to and from redis.
  2. Disable commands that are not used, that could be dangerous like FLUSHALL or FLUSHDB in the config file or rename it to a random string:

rename-command FLUSHDB “”rename-command FLUSHALL “”
rename-command CONFIG averylonghardtoguessstring