1. Turn redis password authentication, and set the high complexity of the password
description
redis in redis.conf configuration file, set the configuration items requirepass, account password authentication. redis due to high query efficiency, auth This command can handle more than 9w times per second, a simple password redis very easy for an attacker to break the violence.
Check Tips
--
Reinforcement Suggestions
打开redis.conf,找到requirepass所在的地方,修改为指定的密码,密码应符合复杂性要求:
```
1、长度8位以上
2、包含以下四类字符中的三类字符:
英文大写字母(A 到 Z)
英文小写字母(a 到 z)
10 个基本数字(0 到 9)
非字母字符(例如 !、$、#、%、@、^、&)
3、避免使用已公开的弱密码,如:abcd.1234 、admin@123等
```
再去掉前面的#号注释符,然后重启redis2. Do not listen in public
description
Redis listens 0.0.0.0, may result in the service of foreign net lateral movement or infiltration risk can easily be exploited by hackers invasion.
Check Tips
--
Reinforcement Suggestions
在redis的配置文件redis.conf中配置如下:
bind 127.0.0.1或者内网IP,然后重启redis3. Do not use the root user to start
description
Root privileges to run Web services are relatively risky (nginx and apache users are all independent work, but no redis). redis crackit vulnerability is to use root user authority to replace or add authorized_keys, to gain root access capabilities
Check Tips
--
Reinforcement Suggestions
使用root切换到redis用户启动服务:
```
useradd -s /sbin/nolog -M redis
sudo -u redis /<redis-server-path>/redis-server /<configpath>/redis.conf
```4. Restrict access to configuration files redis
description
Because redis passwords stored in plain text in the configuration file, the user does not prohibit access to relevant change the configuration file is necessary to set the configuration file permissions redis 600,
Check Tips
--
Reinforcement Suggestions
执行以下命令修改配置文件权限:
```
chmod 600 /<filepath>/redis.conf
```5. modify the default port 6379
description
Avoid the use of well-known ports, reducing the risk of being scanned primary
Check Tips
--
Reinforcement Suggestions
编辑文件redis的配置文件redis.conf,找到包含port的行,将默认的6379修改为自定义的端口号,然后重启redis6. Disable or rename dangerous command
description
Redis in command line using the keys *, is very dangerous. So Redis line must consider disabling some dangerous commands, or try to avoid that anyone can use these commands, Redis is not a complete management system, but also provides a number of programs.
Check Tips
--
Reinforcement Suggestions
修改 redis.conf 文件,添加
```
rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command CONFIG ""
rename-command KEYS ""
rename-command SHUTDOWN ""
rename-command DEL ""
rename-command EVAL ""
```
然后重启redis。
重命名为"" 代表禁用命令,如想保留命令,可以重命名为不可猜测的字符串,如:
`rename-command FLUSHALL joYAPNXRPmcarcR4ZDgC`7. Open Protected Mode
description
redis protection mode is enabled by default. If the configuration is not specified in bind and password, after turning on the parameters, redis only local access, refused to external access.
Check Tips
--
Reinforcement Suggestions
redis.conf安全设置: # 打开保护模式 protected-mode yes8. redis clusters password
1, redis-trib.rb If you are using tools to build a cluster, do not build a cluster configuration password before completion, completed and then build a cluster-by-machine password by config set + config rewrite command
2, if the cluster password, and then requirepass masterauth need to set up, or when switching from the main occurrence, will encounter licensing issues, you can simulate and observe log
3, password each node must be consistent, otherwise it will fail Redirected
# redis-cli -c -p 7004
127.0.0.1:7004> config set masterauth frank
OK
127.0.0.1:7004> config set requirepass frank
OK
127.0.0.1:7004> CONFIG REWRITE
(error) NOAUTH Authentication required.
127.0.0.1:7004> auth frank
OK
127.0.0.1:7004> config rewrite
OK
127.0.0.1:7004> exit
[root@iZj6c7eeosj2t5vjw8rf4xZ redis_cluster]# redis-cli -c -p 7004 -a frank4, after setting a password if you need to use a variety of commands redis-trib.rb being given question
such as:
# redis-trib.rb check 47.52.41.245:7003
[ERR] Sorry, can't connect to node 47.52.41.245:7003Solution:
Find execute when creating a cluster gem install redisclient.rb file commands generated, if you do not know where the file can use the following command to find
# find / -name client.rb -print
/tmp/frank/ruby/ruby-2.2.8/lib/xmlrpc/client.rb
/usr/local/lib/ruby/gems/2.2.0/gems/redis-4.0.0/lib/redis/client.rb
/usr/local/lib/ruby/2.2.0/xmlrpc/client.rbMy side of the document is /usr/local/lib/ruby/gems/2.2.0/gems/redis-4.0.0/lib/redis/client.rb
Then modify the file
# vim /usr/local/lib/ruby/gems/2.2.0/gems/redis-4.0.0/lib/redis/client.rbThen modify the value corresponding password stored on it
require_relative "errors"
require "socket"
require "cgi"
class Redis
class Client
DEFAULTS = {
:url => lambda { ENV["REDIS_URL"] },
:scheme => "redis",
:host => "127.0.0.1",
:port => 6379,
:path => nil,
:timeout => 5.0,
:password => "frank",
:db => 0,
:driver => nil,
:id => nil,
:tcp_keepalive => 0,
:reconnect_attempts => 1,
:inherit_socket => false
}
attr_reader :optionsRe-run redis-trib.rb command
redis-trib.rb check 47.52.41.245:7003
>>> Performing Cluster Check (using node 47.52.41.245:7003)
S: cc86a24f3896ad7530e2687cf52582912f74b661 47.52.41.245:7003
slots: (0 slots) slave
replicates 908430b2bf63669898e9eaef79dd6c1b33c8c57a
M: 668397aba571ece85532b1eb1fccb42e4e33b1f2 116.196.65.198:70019. Use Redis5.0 version created cluster setup password
Directly in one step, before creating a cluster, set your password in the configuration file (password for all profiles consistent), then followed by the time you create a cluster using the command -a passwordparameters.
As a result, the resulting clusters have included access password when accessing, do not set up afterwards.