Aliyun Centos+php+nginx+redis Unauthorized Access vulnerability

In the Ali Cloud hangs a website, runs the Centos+php+nginx, the server installed Redis, the port is 6379, opens the Aliyun background Cloud Shield to report a security loophole, the vulnerability type is the Redis unauthorized access vulnerability, the vulnerability address is the XX.XX.XX.XX : 6379, also provides the solution.

The records are as follows:

I. Vulnerability description and Hazard

Redis due to improper configuration can be unauthorized access, malicious use by attackers.

Attackers need not authenticate access to internal data, potentially causing sensitive information to leak, and hackers can maliciously execute flushall to clear all data.

An attacker can execute LUA code through eval, or write back-door files to disk via data backup, and if Redis is running as root, hackers could write to the root account in the SSH public key file and directly login to the victim server via SSH.

Ii. software and systems that have been identified for successful use

An Redis server that is open to the public network and is not authenticated.

Iii. Proposed repair plan

1, specify the network card used by the Redis service (need to restart Redis to take effect)
Find "# bind 127.0.0.1" in the redis.conf file, remove the front # and save it. Note: Only this computer can access Redis after modification.

Vim

# By default Redis listens for connections to network interfaces
# available on the server. It is possible to listen to just one or multiple
# interfaces using the ' bind ' configuration directive, followed by one or
# more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
Bind 127.0.0.1

2, set access password (need to restart Redis to take effect)

Locate the "Requirepass" field in redis.conf, and then fill in the password you need, and Redis client will need to use this password to access the Redis service.

3, modify the Redis service running account

Run the Redis service with a lower privilege account and disable the logon rights for that account. Attackers can be limited to writing files to disk, but Redis data can be accessed by hackers or hacked by hackers.

4. Set Firewall Policy

If the Redis service in the normal business needs to be accessed by another server, you can set the Iptables policy to allow only the specified IP to access the Redis service.