Impact client binds5/7/2023 ![]() Name, so that normal clients are limited to a specified set of commands.įor instance, a virtualized server provider may offer a managed Redis instance It is possible to disallow commands in Redis or to rename them as an unguessable Redis has optional support for TLS on all communication channels, includingĬlient connections, replication links, and the Redis Cluster bus protocol. Since the AUTH command, like every other Redis command, is sent unencrypted, itĭoes not protect against an attacker that has enough access to the network to If firewalling or any other system implemented to protect Redisįrom external attackers fail, an external client will still not be able toĪccess the Redis instance without knowledge of the authentication password. ![]() The goal of the authentication layer is to optionally provide a layer of Since the system administrator does not need to remember it, the password can be very long. The Redis password is stored in the nf file and inside the client configuration.Many passwords per second can be tested by an external client. Redis is very fast at serving queries.It should be long enough to prevent brute force attacks The password is set by the system administrator in clear text inside the A client can authenticate itself by sending the When the requirepass setting is enabled, Redis will refuse any query by This password is then used by all clients. The legacy authentication method is enabled by editing the nf file, and providing a database password using the requirepass setting. Read more about Access Control Lists here. The recommended authentication method, introduced in Redis 6, is via Access Control Lists, allowing named users to be created and assigned fine-grained permissions. Redis provides two ways to authenticate clients. The system administrator can still ignore the error given by Redis andĭisable protected mode or manually bind all the interfaces. We expect protected mode to seriously decrease the security issues causedīy unprotected Redis instances executed without proper administration. Loopback interfaces, and replies to clients connecting from otherĪddresses with an error that explains the problem and how to configure In this mode, Redis only replies to queries from the Without any password in order to access it. Since version 3.2.0, Redis enters a special mode called protected mode when it isĮxecuted with the default configuration (binding all the interfaces) and Many instances are simply left exposed on the Unfortunately, many users fail to protect Redis instances from being accessedįrom external networks. For instance, a single FLUSHALL command can be used by an external attacker to delete the whole data set. Like the following to the nf file: bind 127.0.0.1įailing to protect the Redis port from the outside can have a big security Note that it is possible to bind Redis to a single interface by adding a line Clients will still be able toĪccess Redis using the loopback interface. ![]() ), the Redis port should beįirewalled to prevent access from the outside. In the common case of a single computer directly exposed to the internet, suchĪs a virtualized Linux instance (Linode, EC2. Only by the computers implementing the application using Redis. In the network, so the servers running Redis should be directly accessible Network securityĪccess to the Redis port should be denied to everybody but trusted clients In general, untrusted access to Redis shouldĪlways be mediated by a layer implementing ACLs, validating user input,Īnd deciding what operations to perform against the Redis instance. Untrusted clients (the user browsers accessing the web application). In this case, the web application mediates access between Redis and To perform operations requested or triggered by the web application user. (web side) of the application will query Redis to generate pages or This means that usually it is not a good idea to expose the Redis instanceĭirectly to the internet or, in general, to an environment where untrustedĬlients can directly access the Redis TCP port or UNIX socket.įor instance, in the common context of a web application implemented using RedisĪs a database, cache, or messaging system, the clients inside the front-end Redis is designed to be accessed by trusted clients inside trusted environments. ![]() Is really important to preserve the security of the communication, use the You can learn more about access control, data protection and encryption, secure Redis architectures, and secure deployment techniques by taking the Redis University security course.įor security-related contacts, open an issue on GitHub, or when you feel it It covers the access control provided by Redis, code security concerns,Īttacks that can be triggered from the outside by selecting malicious inputs, and ![]() This document provides an introduction to the topic of security from the point of ![]()
0 Comments
Leave a Reply. |