Redis Database Security Manual

Redis Database Security Manual

Redis is a high-performance key-value database, which has never been used in the past two years. The popularity of Redis also brings about a series of security issues. Many attackers have initiated attacks through Redis. This article describes the access control and code security issues provided by Redis, as well as attacks that can be triggered by malicious input and other similar means.

Redis General Security Module

Redis is designed to be accessible only from trusted machines in a trusted environment. This means that it is directly exposed to the Internet or other environments that can be directly connected by untrusted machines through TCP or unix scoket.

For example, a common WEB application uses Redis as a database, cache, or message system. The WEB application client queries the page generated by Redis or executes the request or is triggered by the user. In this example, the WEB application links Redis and untrusted clients.

This is a specific example, but in general, non-trusted Redis links should be monitored to verify user input before deciding what operations to perform. Because Redis is not pursuing the greatest security, it is concise and efficient.

Network Security

The Redis link should be open to every trusted client. Therefore, Redis running on the server should be connected only to the computer using the Redis application. In most single computers directly exposed to the Internet, such as virtualized LINUX instances (LINODE, EC2 ,.....)

The Redis port should be blocked by the firewall from external access. The client should still be able to access Redis through the local loopback interface of the server. Note: You can bind the local loop in Redis. CONF to prevent Internet access.

bind127.0.0.1

Because of the characteristics of Redis, the absence of restrictions on Internet access is a major security issue. For example, a simple FLUSHALL command can be used by attackers to delete the entire data settings.

Authentication Mechanism

 

If you do not want to use access restrictions, Redis provides an identity authentication function, which can be implemented by editing the Redis. CONF file.

 

If the authentication function is enabled, Redis rejects all unauthenticated client operations. The client can send the AUTH command + password to verify itself.

The password is issued by the system administrator in Redis. The plaintext password set in the CONFIG file should be long enough to prevent brute-force cracking attacks. There are two reasons:

The execution efficiency of Redis is very fast. external devices can test a considerable number of passwords per second. Redis passwords are stored in the Redis. conf file and internal client configurations, So administrators do not need to remember them. Therefore, you can use a long password.

The purpose of identity authentication is to provide second-level security protection. In this way, when the firewall or other first-level system security settings fail, an external device still cannot access redia without a password.

The AUTH command is not encrypted as other redia commands, so it cannot prevent attackers from eavesdropping on the Intranet.

Data Encryption support

Redis does not support encryption. For trusted clients to transmit data through the Internet in encrypted form, the encrypted protocol (SSL) can be used.

Disable specific commands

It is feasible to disable some Redis commands or rename them. In this way, requests from the client can only execute limited commands.

For example, a virtual server provider may provide a hosted Redis service. In this case, common users should not be able to call the Redis configuration command to modify the configuration instance, but the system that provides and deletes services can have such permissions.

In this case, it is possible to rename the command from the command table or hide the command completely. This function can be declared in the Redis. conf configuration file. For example:

rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52

 

In the preceding example, the CONFIG command is renamed as a strange name. It can also be renamed to a null string, for example:

 

rename-command CONFIG ""

Attacks triggered by precision Input

There is also a type of attack. Attackers can launch attacks from outside even if they do not have access to the database. An example of this type of attack is to insert data into Redis through Redis internal functions.

Attackers can submit a set of strings to the same stack of a hash using a web form, resulting in time complexity from O (1) to O (n), consuming more CPU resources, eventually resulting in DOS attacks. To prevent such attacks, Redis randomly allocates hash for each execution request.

Redis uses a fast Sorting Algorithm to execute the SORT command. Currently, this algorithm is not random, so the second execution of the command may be triggered by fine-grained control over the input.

String Conversion and NOSQL Injection

There is no string escape content in the Redis protocol, so there is usually no injection. Redis uses a string with a prefix length in binary format to ensure security. The LUA script follows the same rules when executing EVAL and EVALSHA commands. Therefore, these commands are secure.

However, this is a very strange case. Applications should avoid using LUA scripts to obtain strings from untrusted sources.

Code Security

In the classic Redis settings, the client can execute all the command sets, but the obtained use cases should never lead to the ability to control the Redis system. Internally, Redis uses well-known security code specifications to prevent buffer overflow, format errors, and other memory corruption issues. However, the client has the ability to control the use of server configuration command CONFIG so that it can change the program's working directory and the name of the dump file. This allows the client to write RDB Redis files in random paths. This is a security problem that may easily cause clients to be able to run illegal code in Redis.

Redis does not require the root permission to run, and it is not recommended to run with the root permission. The author of Redis is investigating the possibility of adding a new configuration parameter to prevent the config set/GET directory and other commands similar to the runtime configuration. This prevents the client from forcing the server to write Redis dump files anywhere.

GPG key

Security researchers can submit questions on Github. When you feel that this security issue is really important, add the GPG mark at the end of the document.

-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.4.13 (Darwin)mQINBFJ7ouABEAC5HwiDmE+tRCsWyTaPLBFEGDHcWOLWzph5HdrRtB//UUlSVt9PtTWZpDvZQvq/ujnS2i2c54V+9NcgVqsCEpA0uJ/U1sUZ3RVBGfGO/l+BIMBnM+B+TzK825TxER57ILeT/2ZNSebZ+xHJf2Bgbun45pq3KaXUrRnuS8HWSysC+XyMoXETnksApwMmFWEPZy62gbeayf1U/4yxP/YbHfwSaldpEILOKmsZaGp8PAtVYMVYHsiegOUdS/jO0P3silagq39cPQLiTMSsyYouxaagbmtdbwINUX0cjtoeKddd4AK7PIww7su/lhqHZ58ZJdlApCORhXPaDCVrXp/uxAQfT2HhEGCJDTpctGyKMFXQbLUhSuzfIilRKJ4jqjcwy+h5lCfDJUvCNYfwyYApsMCs6OWGmHRd7QSFNSs335wAEbVPpO1noBJHtOLywZFPF+qAm3LPV4a0OeLyA260c05QZYO59itakjDCBdHwrwv3EU8Z8hPd6pMNLZ/H1MNK/wWDVeSL8ZzVJabSPTfADXpc1NSwPPWSETS7JYWssdoK+lXMw5vKq2mSxabL/y91sQ5uscEDzDyJxEPlToApyc5qOUiqQj/thlA6FYBlo1uuuKrpKU1Ie6AA3Gt3fJHXH9TlIcO6DoHvd5fS/o7/RxyFVxqbRqjUoSKQeBzXos3u+QARAQABtChTYWx2YXRvcmUgU2FuZmlsaXBwbyA8YW50aXJlekBnbWFpbC5jb20+iQI+BBMBAgAoBQJSe6LgAhsDBQld/A8ABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAxgTcoDlyI1riPD/oDDvyIVHtgHvdHqB8/GnF2EsaZgbNuwbiNZ+ilmqnjXzZpu5SukGPXAAo+v+rJVLSU2rjCUoL5PaoSlhznw5PL1xpBosN9QzfynWLvJE42T4i0uNU/a7a1PQCluShnBchm4Xnb3ohNVthFF2MGFRT4OZ5VvK7UcRLYTZoGRlKRGKi9HWea2xFvyUd9jSuGZG/MMuoslgEPxei09rhDrKxnDNQzQZQpamm/42MITh/1dzEC5ZRx8hgh1J70/c+zEU7s6kVSGvmYtqbV49/YkqAbhENIeZQ+bCxcTpojEhfk6HoQkXoJoK5m21BkMlUEvf1oTX22c0tuOrAX8k0y1M5oismT2e3bqs2OfezNsSfK2gKbeASkCyYivnbTjmOSPbkvtb27nDqXjb051q6m2A5d59KHfey8BZVuV9j35Ettx4nrS1NiS7QrHWRvqceRrIrqXJKopyetzJ6kYDlbP+EVN9NJ2kz/WG6ermltMJQoC0oMhwAGdfrttG+QJ8PCOlaYiZLD2bjzkDfdfanE74EKYWt+cseenZUf0tsncltRbNdeGTQb1/GHfwJ+nbA1uKhcHCQ2WrEeGiYpvwKv2/nxBWZ3gwaiAwsz/kI6DQlPZqJoMea98gDK2rQigMgbE88vIli4sNhc0yAtm3AbNgAO28NUhzIitB+av/xYxN/W/LkCDQRSe6LgARAAtdfwe05ZQ0TZYAoeAQXxx2mil4XLzj6ycNjj2JCnFgpYxA8m6nf1gudrC5V7HDlctp0i9i0wXbf07ubt4Szq4v3ihQCnPQKrZZWfRXxqg0/TOXFfkOdeIoXlFl+yC5lUaSTJSg21nxIr8pEq/oPbwpdnWdEGSL9wFanfDUNJExJdzxgyPzD6xubcOIn2KviV9gbFzQfOIkgkl75V7gn/OA5g2SOLOIPzETLCvQYAGY9ppZrkUz+ji+aTTg7HBL6zySt1sCCjyBjFFgNF1RZY4ErtFj5bdBGKCuglyZou4o2ETfA8A5NNpu7xzkls45UmqRTbmsTD2FU8Id77EaXxDz8nrmjz8f646J0rqn9pGnIg6Lc2PV8j7ACm/xaTH03taIloOBkTs/Cl01XYeloM0KQwrML43TIm3xSE/AyGF9IGTQo3zmv8SnMOF+Rv7+55QGlSkfIkXUNCUSm1+dJSBnUhVj/RAjxkekG2di+Jh/y8pkSUxPMDrYEaOtDoiq2G/roXjVQcbOyOrWA2oB58IVuXO6RzMYi6k6BMpcbmQm0y+TcJqo64tREVtjogZeIeYDu31eylwijwP67dtbWgiorrFLm2F7+povfXjsDBCQTYhjH4mZgV94rihYjP7X2YfLV3tvGyjsMhw3/qLlEyx/f/97gdAaosbpGlVjnhqicAEQEAAYkCJQQYAQIADwUCUnui4AIbDAUJXfwPAAAKCRAxgTcoDlyI1kAND/sGnXTbMvfHd9AOzv7ihDX15SSeMDBMWC+8jH/XZASQF/zuHk0jZNTJ01VAdpIxHIVb9dxRrZ3bl56BByyI8m5DKJiIQWVai+pfjKj6C7p44My3KLodjEeR1oOODXXripGzqJTJNqpW5eCrCxTMyz1rzO1H1wziJrRNc+ACjVBE3eqcxsZkDZhWN1m8StlX40YgmQmID1CC+kRlV+hgLUlZLWQIFCGo2UJYoIL/xvUT3Sx4uKD4lpOjyApWzU40mGDaM5+SOsYYrT8rdwvknd/efspff64meT9PddX1hi7Cdqbq9woQRu6YhGoCtrHyi/kklGF3EZiw0zWehGAR2pUeCTD28vsMfJ3ZL1mUGiwlFREUZAcjIlwWDG1RjZDJeZ0NV07KH1N1U8L8aFcu+CObnlwiavZxOR2yKvwkqmu9c7iXi/R7SVcGQlNao5CWINdzCLHj6/6drPQfGoBSK/w4JPe7fqmIonMR6O1Gmgkq3Bwl3rz6MWIBN6z+LuUF/b3ODY9rODsJGp21dl2qxCedf//PAyFnxBNf5NSjyEoPQajKfplfVS3mG8USkS2pafyq6RK9M5wpBR9I1Smmgon60uMJRIZbxUjQMPLOViGNXbPIilny3FdqbUgMieTBDxrJkE7mtkHfuYw8bERyvI1sAEeV6ZM/uc4CDI3E2TxEbQ==

Key fingerprint

pub   4096R/0E5C88D6 2013-11-07 [expires: 2063-10-26]      Key fingerprint = E5F3 DA80 35F0 2EC1 47F9  020F 3181 3728 0E5C 88D6      uid                  Salvatore Sanfilippo <antirez@gmail.com>      sub   4096R/3B34D15F 2013-11-07 [expires: 2063-10-26]