Preface
Recently, Huawei Cloud Yaoyun Server L instance was launched, and I also bought one to play with. During this period, I encountered a situation where the MySQL database was attacked and data was lost. Fortunately, I had several backups and did not cause too much damage. Yesterday, I received an email reminder from Huawei Cloud. My redis database does not have a password. This means that as long as you know the IP address of my server and the redis port, you can connect to my redis database. I asked why the data in my redis always disappears inexplicably. . .
This blog introduces the redis connection password settings to ensure the security of the redis cache database, as well as the commands to view the redis database related conditions.
The list of other related Huawei Cloud Yaoyun Server L instance evaluation articles is as follows:
Article directory
lead out
1. redis vulnerability - minor: The attacker can access redis by knowing the IP + port, so the redis data will be leaked. In addition, the attacker can execute the flushall command to clear all data; 2. redis vulnerability - serious: executed through the eval
command lua script;
3. redis vulnerability - danger: if redis is run as root, a hacker can write the SSH public key file to the root account and log in to the victim server directly through SSH;
1. The risk of allowing anyone to access redis
1. Understand the unauthorized access vulnerability of redis
The Redis unauthorized access vulnerability means that if the Redis server does not adopt corresponding security policies, such as adding firewall rules to block IP access from untrusted sources, then unauthorized users can directly access and operate the Redis service.
The main reason for this vulnerability is that Redis is bound to 0.0.0.0:6379 by default and authentication is not turned on. So if an attacker has access to the target server, they can access the Redis service without authorization and even read Redis data.
If a system has this vulnerability, an attacker may exploit it to perform malicious operations. For example, an attacker can use the config command provided by Redis to write a file and write the ssh public key to the authorized_keys file in the /root/.ssh folder of the target server, thereby using the ssh service to log in to the target server.
In my previous redis settings, (1) any IP access is allowed; (2) password-free login to the redis service; therefore, there is a greater risk.
bind allows access from any ip
Protected mode is off
2. The harm of loopholes
(1) Minor: The attacker can access redis by knowing the IP + port, so the redis data will be leaked. In addition, the attacker can execute the flushall command to clear all data;
* FLUSHALL [ASYNC | SYNC]
* 功能:删除所有数据;
* Delete all the keys of all the existing databases
(2) Severe: execute the lua script through the eval command;
* EVAL script numkeys [key [key ...]] [arg [arg ...]]
* 功能:执行lua脚本;
* Invoke the execution of a server-side Lua script.
(3) Danger: If redis is running as root, a hacker can write the SSH public key file to the root account and log in to the victim server directly through SSH;
https://www.zoomeye.org/The search results using this URL are as follows:
redis vulnerability
2. Recurrence of vulnerabilities
1. Data leakage + flush deletion of database and escape
Install redis in windows and run the redis-cli client in cmd mode
Redis receives connections from clients by listening to a TCP port or socket.
When a connection is established with the client, Redis will perform the following operations internally:
- (1) The client socket will be set to non-blocking mode because redis uses a non-blocking multiplexing model for network time processing;
- (2) Then set the TCP_NODELAY attribute for this socket and disable the Nagle algorithm;
- (3) Then create a readable file event to monitor the data sending of this client socket.
Start the slave you set up before, port 6380, connect on windows, data leakage, then flushall delete the database and run away.
D:\Myprogram\redis>redis-cli -h 124.70.138.34 -p 6380
124.70.138.34:6380> keys *
1) "backup3"
2) "backup4"
3) "backup2"
4) "backup1"
124.70.138.34:6380> flushall
(error) READONLY You can't write against a read only replica.
124.70.138.34:6380> slaveof no one
OK
124.70.138.34:6380> flushall
OK
124.70.138.34:6380> keys *
(empty list or set)
124.70.138.34:6380> set pet 123
OK
124.70.138.34:6380> keys *
1) "pet"
Through the above operation, the slave becomes the master, and black and white are reversed.
3. Solution to loopholes
1. Preliminary solution to data leakage—add connection password
Set the password to connect to the redis database in redis.cnf
root@hcss-ecs-52b8:~# docker exec -it redis_6379 bash
root@706d04b2ea4d:/data# redis-cli
127.0.0.1:6379> keys *
(error) NOAUTH Authentication required.
127.0.0.1:6379> auth 设置的密码
OK
127.0.0.1:6379> keys *
1) "backup1"
2) "backup3"
3) "jwt1"
4) "backup4"
5) "backup2"
127.0.0.1:6379> config get requirepass
1) "requirepass"
2) 设置的密码
127.0.0.1:6379>
4. Learning other redis commands
1.Database setting and switching
Set in redis.cnf, databases parameter, the default is 16 databases
After entering the redis-cli client, use select 3 to switch the database.
Use config get databases to get the configured parameters
[root@localhost ~]# docker exec -it redis_6379 bash
root@5d04e3abf91f:/data# redis-cli
127.0.0.1:6379> keys *
1) "book"
2) "weather"
3) "stu"
4) "usernames"
5) "tom_bank"
6) "dress"
7) "peter"
8) "username"
9) "goods"
10) "mycar"
127.0.0.1:6379> select 3
OK
127.0.0.1:6379[3]> keys *
(empty array)
127.0.0.1:6379[3]> config get databases
1) "databases"
2) "16"
When the RedisDesktopManager software is connected, it automatically exits when the index exceeds
2.client related commands
- CLIENT LIST Get the client list
- CLIENT SETNAME sets the name of the current connection point redis
- CLIENT GETNAME View the name of the current connection
- CLIENT KILL ip:port kills the specified connection
127.0.0.1:6379> info clients
# Clients
connected_clients:1
cluster_connections:0
maxclients:10000
client_recent_max_input_buffer:8
client_recent_max_output_buffer:0
blocked_clients:0
tracking_clients:0
clients_in_timeout_table:0
total_blocking_keys:0
total_blocking_keys_on_nokey:0
127.0.0.1:6379> config get maxclients
1) "maxclients"
2) "10000"
127.0.0.1:6379> CLIENT LIST
id=12 addr=127.0.0.1:44442 laddr=127.0.0.1:6379 fd=8 name= age=1123 idle=0 flags=N db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=26 qbuf-free=20448 argv-mem=10 multi-mem=0 rbs=1024 rbp=0 obl=0 oll=0 omem=0 tot-mem=22426 events=r cmd=client|list user=default redir=-1 resp=2 lib-name= lib-ver=
127.0.0.1:6379> CLIENT LIST
id=12 addr=127.0.0.1:44442 laddr=127.0.0.1:6379 fd=8 name= age=2903 idle=0 flags=N db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=26 qbuf-free=20448 argv-mem=10 multi-mem=0 rbs=1024 rbp=0 obl=0 oll=0 omem=0 tot-mem=22426 events=r cmd=client|list user=default redir=-1 resp=2 lib-name= lib-ver=
id=47 addr=112.21.24.25:19880 laddr=172.18.12.79:6379 fd=9 name= age=604 idle=447 flags=N db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=0 qbuf-free=0 argv-mem=0 multi-mem=0 rbs=1024 rbp=0 obl=0 oll=0 omem=0 tot-mem=1928 events=r cmd=setex user=default redir=-1 resp=3 lib-name= lib-ver=
127.0.0.1:6379>
Summarize
1. redis vulnerability - minor: The attacker can access redis by knowing the IP + port, so the redis data will be leaked. In addition, the attacker can execute the flushall command to clear all data; 2. redis vulnerability - serious: executed through the eval
command lua script;
3. redis vulnerability - danger: if redis is run as root, a hacker can write the SSH public key file to the root account and log in to the victim server directly through SSH;