I was dubious at first, but I really have grown to like Redis. It’s a wonderfully simple solution to the problem of high-performance fast-changing data storage. However, its simplicity (combined with the incompetency of certain users) can easily become a detriment to security.
The Redis protocol is a simple plain-text mechanism, offering no transport layer security. This is a problem in itself, but it gets worse. By default, it listens on all available IP addresses on port 6379, with no authentication required at all. So, as you might imagine, quite a few of these servers end up facing the internet. So, I decided to see if I could find any. I wrote up a quick script to scan random /24 ranges for Redis installations, and was amazed at the result. From a single day’s scanning, I found 48 open servers. What’s worse, two of them are major household-name websites – both of which were using Redis to store their page content. Obviously both of these companies have been contacted.
It gets even worse, though. Redis allows you to send a
DEBUG SEGFAULT command, which purposefully crashes the server. This means you can take down any Redis installation remotely. Nasty stuff.
Example from a server in the wild:
redis_version:2.4.5 redis_git_sha1:00000000 redis_git_dirty:0 arch_bits:32 multiplexing_api:winsock2 process_id:#### uptime_in_seconds:########## uptime_in_days:6 lru_clock:########## used_cpu_sys:421.25 used_cpu_user:466.63 used_cpu_sys_children:6.48 used_cpu_user_children:3.12 connected_clients:16 connected_slaves:0 client_longest_output_list:0 client_biggest_input_buf:0 blocked_clients:0 used_memory:680824356 used_memory_human:664.87M used_memory_rss:680824356 used_memory_peak:697004492 used_memory_peak_human:680.67M mem_fragmentation_ratio:1.00 mem_allocator:libc loading:0 aof_enabled:0 changes_since_last_save:6922 bgsave_in_progress:0 last_save_time:1326###### bgrewriteaof_in_progress:0 total_connections_received:802101 total_commands_processed:3692083 expired_keys:34652 evicted_keys:2 keyspace_hits:2763416 keyspace_misses:591228 pubsub_channels:0 pubsub_patterns:0 latest_fork_usec:0 vm_enabled:0 role:master
So, the bottom line is to keep your Redis server secure!
- Add a passphrase to your configuration.
- Use a firewall to block all connections to port 6379, except from trusted IPs.
- If you must operate in an untrusted zone, enforce IP-layer security (e.g. ipsec).
Patch Redis to only bind to a single IP address (or support the votes for this to happen on the Redis github site)
Keep to the above, and you should be ok!
Update: The creator of Redis, antirez, responded to this post, informing me that you can in fact make Redis bind to a single IP in
redis.conf. I’d like to clarify my point on the security of Redis – it is designed to be lightweight and provide only minimal security, so this problem is not a flaw of Redis itself. Instead, it’s a flaw of how people are using (or abusing) Redis. The current ethos is that you should always apply network security to your NoSQL systems – if you don’t, it’ll end in tears.