Redis security

I was dubious at first, but I really have grown to like Redis. It’s a wonderfully simple solution to the problem of high-performance fast-changing data storage. However, its simplicity (combined with the incompetency of certain users) can easily become a detriment to security.

The Redis protocol is a simple plain-text mechanism, offering no transport layer security. This is a problem in itself, but it gets worse. By default, it listens on all available IP addresses on port 6379, with no authentication required at all. So, as you might imagine, quite a few of these servers end up facing the internet. So, I decided to see if I could find any. I wrote up a quick script to scan random /24 ranges for Redis installations, and was amazed at the result. From a single day’s scanning, I found 48 open servers. What’s worse, two of them are major household-name websites – both of which were using Redis to store their page content. Obviously both of these companies have been contacted.

It gets even worse, though. Redis allows you to send a DEBUG SEGFAULT command, which purposefully crashes the server. This means you can take down any Redis installation remotely. Nasty stuff.

Example from a server in the wild:

redis_version:2.4.5
redis_git_sha1:00000000
redis_git_dirty:0
arch_bits:32
multiplexing_api:winsock2
process_id:####
uptime_in_seconds:##########
uptime_in_days:6
lru_clock:##########
used_cpu_sys:421.25
used_cpu_user:466.63
used_cpu_sys_children:6.48
used_cpu_user_children:3.12
connected_clients:16
connected_slaves:0
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0
used_memory:680824356
used_memory_human:664.87M
used_memory_rss:680824356
used_memory_peak:697004492
used_memory_peak_human:680.67M
mem_fragmentation_ratio:1.00
mem_allocator:libc
loading:0
aof_enabled:0
changes_since_last_save:6922
bgsave_in_progress:0
last_save_time:1326######
bgrewriteaof_in_progress:0
total_connections_received:802101
total_commands_processed:3692083
expired_keys:34652
evicted_keys:2
keyspace_hits:2763416
keyspace_misses:591228
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
vm_enabled:0
role:master

So, the bottom line is to keep your Redis server secure!

  • Add a passphrase to your configuration.
  • Use a firewall to block all connections to port 6379, except from trusted IPs.
  • If you must operate in an untrusted zone, enforce IP-layer security (e.g. ipsec).
  • Patch Redis to only bind to a single IP address (or support the votes for this to happen on the Redis github site)

Keep to the above, and you should be ok!

Update: The creator of Redis, antirez, responded to this post, informing me that you can in fact make Redis bind to a single IP in redis.conf. I’d like to clarify my point on the security of Redis – it is designed to be lightweight and provide only minimal security, so this problem is not a flaw of Redis itself. Instead, it’s a flaw of how people are using (or abusing) Redis. The current ethos is that you should always apply network security to your NoSQL systems – if you don’t, it’ll end in tears.

Advertisements

One thought on “Redis security”

  1. The thing is it is NOT secure like this.
    This is shit like people ran in the 1980s.

    – ip address restrictions? -> break into a webserver with redis backend -> win
    – don’t have the password there? -> just try till you have it, there’s not limiting
    – try a million times to find it? there’s auditing -> win
    – ssl tunnels? only protect from MITM, not from attacks from a trusted client. any, even unprivileged user can traverse the ssl tunnel and brute force -> win

    Even NFS has a high grade of security compared to redis.

    And instead of doing something about it, it is simply a white elephant noone talks about.
    Questions are answered with incomplete / useless advice.

    People need to accept this is a problem and start working on it 😦

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s