Redis General Security Model
----------------------------
- Designed to be
accessed by clients in a trusted environment.
- Not recommended to
be exposed directly to the internet.
- Clients/systems
behind the front-end applications are the ones connecting to
redis.
- In general, Redis
is not optimized for security but for performance.
Network Security
----------------
- Redis port must be
opened only to applications that needs access.
- Can bind to single
interface using: bind 127.0.01
Protected Mode
--------------
- Redis enter this
mode when default configuration is used
- Default
configuration:
a. binds to all inerfaces
b. no password
- Replies only to
queries on loopback interfaces
- Replies an error to
other clients connecting from different addresses
- Decrease security
issue
Authentication Feature
----------------------
- Redis doesn't try
to implement access control by default
- Can provide a layer
of security via "redis.conf"
- When turned ON,
clients can only connect via "AUTH" command
- Password is set
inside redis.conf
- "AUTH"
command is sent unencrypted
Data Encryption Support
-----------------------
- Redis doesn't
support encryption
- Additional layer
must be incorporated like SSL proxy
- Recommended is
spiped
Disabling Specific Command
--------------------------
- Commands can be
disable or rename them to a different name
- Renaming:
rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
- Disabling:
rename-command CONFIG ""
Attacks triggered by carefully selected inputs from
external clients
--------------------------------------------------------------------
- External attackers
can insert data that triggers pathological algorithm
complexity on data structures on redis
internals
- For instance an
attacker could supply, via a web form, a set of strings that
is known to hash to the same bucket into a
hash table in order to turn the
O(1) expected time (the average time) to the
O(N) worst case, consuming more
CPU than expected, and ultimately causing a
Denial of Service.
- Redis prevents this
attack by per-execution pseudo-random seed to the hash
function.
String escaping and NoSQL injection
-----------------------------------
- Redis doesn't use
string escaping
- Protocol uses
fixed-length strings which is considered safe
No comments:
Post a Comment