A fatal Redis command that cost the company $4 million!!

Recently the security accident is endangered hair, a few days ago, “sf senior operation and maintenance engineer of the deletion event”, today saw PHP engineers online Redis dangerous command lead to a company loss of 4 million.

What kind of Redis command could be so powerful and cause so much damage?

The details are as follows:

According to yuntoutiao report, the technology department of a company had two major PO accidents this year, resulting in a capital loss of RMB 4 million, the reasons are as follows:

Due to the PHP engineer directly operating redis, execute keys * WXDB cf8* command, resulting in redis lock, resulting in CPU surge, causing all payment links stuck, and so on ten seconds after the end of all requests are squeezed into the RDS database. The database has an avalanche effect and the database is down.

The company said any repeat of the incident would result in immediate dismissal, adding that it would gradually take back the authority of its operations and maintenance department.

After reading this news, my heart was surprised again, why is such a low-level problem still committed? Why are online danger commands not disabled? It feels very low to report this incident…

Not to mention which company, such accident happened, no matter big company or small company, I think it should not, the relevant person in charge should be responsible for the resignation!!

If you have a bit of experience with Redis, you will know that you cannot execute keys * commands online. Although the fuzzy matching function is very convenient and powerful, it is not a problem to use it in the case of small data volume. If the data volume is large, the Redis will lock up and the CPU will increase.

What other dangerous orders are there?

Redis has the following dangerous commands:

Keys,

The client can query all existing keys.

· flushdb

Delete all the keys of the currently selected DB. This command never fails.

Deletes all records in the current Redis database and never fails to execute this command.

· flushall

Delete all the keys of all the existing databases, not just the currently selected one. This command never fails.

Delete all records from all databases in Redis, not just the current database, and this command never fails.

The config,

The client can modify the Redis configuration.

How do I disable or rename dangerous commands?

Take a look at the redis.conf default configuration file and find the SECURITY area, as shown below.

################################## SECURITY ###################################

# Require clients to issue AUTH PASSWORD before processing any other

# commands. This might be useful in environments in which you do not trust

# others with access to the host running redis-server.

# This should stay commented out for backward compatibility and because most

# people do not need auth (e.g. they run their own servers).

# Warning: since Redis is pretty fast an outside user can try up to

# 150k passwords per second against a good box. This means that you should

# use a very strong password otherwise it will be very easy to break.

# requirepass foobared

# Command renaming.

# It is possible to change the name of dangerous commands in a shared

# environment. For instance the CONFIG command may be renamed into something

# hard to guess so that it will still be available for internal-use tools

# but not available for general clients.

# Example:

# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52

# It is also possible to completely kill a command by renaming it into

# an empty string:

# rename-command CONFIG

# Please note that changing the name of commands that are logged into the

# AOF file or transmitted to slaves may cause problems.

See the instructions to add the rename-command configuration for security purposes.

1) Disable commands

rename-command KEYS

rename-command FLUSHALL

rename-command FLUSHDB

rename-command CONFIG

2) Rename command

rename-command KEYS XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

rename-command FLUSHALL XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

rename-command FLUSHDB XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

rename-command CONFIG XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The XX above can define new command names or replace them with random characters.

After the above Settings, the dangerous command will not be executed by the client.

A fatal Redis command that cost the company $4 million!!

Related Posts

GitHub: Open source o&M platform GitHub is a lightweight agentless automated o&M platform designed for small and medium enterprises

Sister-in-law fairy jumped a hacker’s manual of common commands

Real-time Status: How Often Should One Update?