Redis is misproperly configured
Closed this issue · 1 comments
Description
On March 28th I received an email from Digital Ocean with the subject, "[Action Recommended] Important notice regarding misconfigured Redis on your Droplet". It reads:
Hi there,
We’ve received a notification from 3rd party security researchers, the Shadowserver Foundation, that your Droplet at 178.62.211.86 is running a Redis instance configured in a way that may be insecure.
This configuration that was reported to us can allow attackers to gain local access to your Droplet, as well as the ability to read, change, or destroy any data hosted in your Redis instance. This issue could result in severe security breaches, and we strongly urge you to take immediate action to secure your Redis instance. We have several resources available to help you secure your server.
For securing your Redis instance on Ubuntu, refer to this tutorial
For securing your Redis instance on CentOS, refer to this tutorial
We also offer Cloud Firewalls - available in all regions at no additional cost - to protect your Droplet from traffic attempting to access it without permission. Learn more about Cloud Firewalls here
The security of all systems in our network is extremely important to us and we strongly encourage you to review your configuration promptly.
Regards,
Trust & Safety
DigitalOcean Security
I've run sudo docker-compose -f production.yml down to take the algorithm down while we service the Redis instance.
While the server is down for maintenance, we can see what can be done with #19
It seems that we need to simply ensure that the firewall blocks the port that Redis is running on. I've used ufw for basic firewall settings. The tutorial below suggests using iptables but I want to try with ufw first.
From the tutorial:
Prerequisites
- iptables configured using this iptables guide, up through the (Optional) Update Nameservers step (if you don't do the nameserver configuration part, APT won't work). After configuring the nameservers, you're done
...
Step 2 — Securing the Server with iptables
Redis is just an application that's running on your server, and because it has no real security features of its own, the first step to truly securing it is to first secure the server it is running on.
In the case of a public-facing server like your Ubuntu 14.04 server, configuring a firewall as given in this iptables guide is that first step. Follow that link and set up your firewall now.
If you've implemented the firewall rules using that guide, then you do not need to add an extra rule for Redis, because by default, all incoming traffic is dropped unless explicitly allowed. Since a default standalone installation of Redis server is listening only on the loopback interface (127.0.0.1 or localhost), there should be no concern for incoming traffic on its default port.
If you need to specifically allow an IP address for Redis, you can check what IP address Redis is listening on, and what port it is bound to by grep-ing the output of the netstat command. The fourth column — 127.0.0.1:6379 here — indicates the IP address and port combination associated with Redis:
$ sudo netstat -plunt | grep -i redis
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 8562/redis-server 1
Make sure this IP address is allowed in your Firewall policy. For more information on how to add rules, please see this iptables basics article.