Recent security reports identified the risk of attacks on misconfigured Redis databases. Here are five basic steps to secure your Redis deployments.
Recently the cyber research community highlighted how attackers have been abusing insecurely configured Redis databases. As one of the world’s most used NoSQL databases, the huge installation footprint of Redis––both open source and commercial––makes it a natural target for attackers.
However, there are a number of basic steps Redis users can take to reduce the risk of attacks like the recent HeadCrab malware campaign identified by AquaSec.
We should note that there are no signs that Redis Enterprise software or Redis Cloud services have been impacted by these attacks.
Since version 3.2.0, Redis Open Source (Redis OSS) enters a special mode called protected mode when it is executed with the default configuration and without any password required to access it. In this mode, Redis only replies to queries from the loopback interfaces. When clients connect from other addresses, Redis OSS replies with an error that explains the problem and how to configure Redis properly.
We expected protected mode to decrease the security issues caused by unprotected Redis instances executed without proper administration. But system administrators can ignore the error emitted by Redis; those administrators can disable protected mode or manually bind all the interfaces. It appears that there are plenty of these kinds of deployments which are being targeted by attacks such as HeadCrab.
Here are some basic recommendations for how to begin securing your Redis deployments: