The latest Redis unauthorized access vulnerability, how to protect Redis security?

Redis is an open source, network-based, memory-based, and persistent log-based, Key-Value database written in ANSI C. It also provides APIs in multiple languages. Recently, a vulnerability in Redis that allows Getshell through master-slave replication was exposed.

[[270380]]

In Redis 4.x and above, because of the new module function, attackers can construct malicious code to make the attacked server load malicious .so files. If redis-server is started with root privileges, the malicious code can be executed, and the attacker can create any file he wants on the server, which is very harmful.

The author of Redis believes in "simplicity is beauty", so he did not design a complex security configuration for Redis. So how do we ensure the security of Redis?

Configure firewall to protect redis

​Prevent external users from accessing its redis port by configuring a firewall.

Do not use the default port of redis

Prevent external users from accessing Redis, specify the trusted Redis IP, prevent external access, and only trusted user IPs can access the Redis port. If it is not prohibited, it is very likely that all data will be deleted when attacked from the outside.

Set password authorization when accessing redis

Redis forces password authentication for instances in classic networks. Users can set complex passwords to prevent passwords from being cracked. It should be noted that the password strength should be set high enough, such as more than 32 bits. Redis has very good performance, and can reach 150,000 times per second if the password is cracked by brute force.

Use the disable command

In Redis, you can disable commands or rename them to names that are difficult to guess, so that only internal users can use these renamed names, and general users can only use a subset of commands.

Renaming some dangerous commands can prevent malicious operations, which is equivalent to turning the command name into a password that only internal personnel know.

Redis has worked hard to optimize high performance and ease of use, but has not optimized security. Therefore, Redis needs to run in a secure environment, and the external security of Redis must be well done.