Redis Security
Download as PPTX, PDF0 likes581 views
Redis is designed to be accessed by trusted clients within trusted environments for maximum performance. It is not optimized for security but simplicity. Network access to Redis should be limited to trusted clients on the network. Redis listens to all interfaces by default but this can be configured. Redis provides a basic authentication layer where clients authenticate with a password set in the configuration file. Data encryption is not supported so additional layers may be needed over untrusted networks. Specific Redis commands can be disabled or renamed to limit clients. The Redis protocol prevents SQL injection as it uses binary-safe prefixed strings.
Redis Security
- 1. Redis - Security Eng. Ismail Enjreny Email: ismaeel.enjreny@gmail.com
- 2. Redis Security • Redis is designed to be accessed by trusted clients inside trusted environments • in the common context of a web application implemented using Redis, the clients inside the front-end (web side) of the application will query Redis • Redis is not optimized for maximum security but for maximum performance and simplicity
- 3. Network security • Access to the Redis port should be denied to everybody but trusted clients in the network, so the servers running Redis should be directly accessible only by the computers implementing the application using Redis • By default Redis listens for connections from all the network interfaces available on the server • It is possible to listen to just one or multiple interfaces using the "bind" configuration directive, followed by one or more IP addresses • bind 192.168.1.100 10.0.0.1 • bind 127.0.0.1
- 4. Authentication feature • Redis provides a tiny layer of authentication that is optionally turned on editing the redis.windows.conf file • When the authorization layer is enabled, Redis will refuse any query by unauthenticated clients • A client can authenticate itself by sending the AUTH command followed by the password • The password is set by the system administrator in clear text inside the redis.conf file. It should be long enough to prevent brute force attacks for two reasons • Redis is very fast at serving queries. Many passwords per second can be tested by an external client • The Redis password is stored inside the redis.windows.conf file and inside the client configuration, so it does not need to be remembered by the system administrator, and thus it can be very long • requirepass YOUR_LONG_PASSWORD
- 5. Data encryption support • Redis does not support encryption • In order to implement setups where trusted parties can access a Redis instance over the internet or other untrusted networks, an additional layer of protection should be implemented • We recommend spiped
- 6. Disabling of specific commands • It is possible to disable commands in Redis or to rename them into an unguessable name, so that normal clients are limited to a specified set of commands • rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 • It is also possible to completely disable it (or any other command) by renaming it to the empty string, like in the following example: • rename-command CONFIG ""
- 7. String escaping and NoSQL injection • The Redis protocol has no concept of string escaping, so injection is impossible under normal circumstances using a normal client library • The protocol uses prefixed-length strings and is completely binary safe • Lua scripts executed by the EVAL and EVALSHA commands follow the same rules, and thus those commands are also safe