Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Redis acl

Redis ACL RCP1

  • Inicia sesión para ver los comentarios

Redis acl

  1. 1. Redis ACL - RCP 1 DaeMyung Kang (charsyam@naver.com)
  2. 2. Who am I? • Software Engineer At Udemy • Redis Contributor • Redis Document Project Committer • https://github.com/antirez/redis-doc • Speaker in RedisConf 2016 • TroubleShooting Redis
  3. 3. Agenda • What happened without Authentication for Redis? • What is current Redis ACL? • What is RCP1
  4. 4. What happened without Authentication for Redis?
  5. 5. Memcrashed
  6. 6. Memcrashed • Memcached DDOS issue not Redis • Memcached is high-performance In-Memory K-V Store • Memcached opened UDP port as Default(11211 port). • Memcached doesn't support Authentication. • It web patched in 28 Feb, 2018
  7. 7. Memcrashed Attacker Victim UDP Servers UDP Servers UDP Servers 1. IP spoofed Requests They can't verify UDP source 2. Legitimate UDP Response Victim receives huge traffic from Memcached servers
  8. 8. Redis in public
  9. 9. Redis in public • Redis opens 6379 port in public. • Redis runs with Root Permission. • Redis runs without requirepass.
  10. 10. You are ready to be Hacked
  11. 11. How to hack Redis • Using RDB Saving • I don't want to show you the detail steps.
  12. 12. How to hack Redis #2
  13. 13. How to hack Redis #3
  14. 14. Never expose Your Redis in Public
  15. 15. Redis Status(2018/05/30 : Today) • Globally 17,153 Redis Servers are in Public
  16. 16. Memcached Status(2018/05/30 : Today) • Globally 37,839 Memcached Servers are in Public
  17. 17. What is current Redis ACL?
  18. 18. Redis only support requirepass
  19. 19. Limitation of requirepass • if you know password, you can run all commands. • O(N) Commands • KEYS • FLUSHALL • LREM
  20. 20. rename-command • We can change command name to another. • or can Disable it • But sometimes we need to use disabled commands for management. • if someone know changed commands • All people will know them. • Still someone can make mistake.
  21. 21. RCP1 Redis ACL
  22. 22. ACL : Access Control List • Specify who has granted access to objects • In Redis • Specify who is granted to execute specific commands
  23. 23. Examples #<username> <password> [<acl> <acl> … <acl>] charsyam "my password" +#all client "my password" +#readonly default "" +ping +info charsyam can execute all commands client can execute only readonly commands default user only can run ping and info commands - default is a user permission before auth step.
  24. 24. auth example auth <username> <password>
  25. 25. Command Groups Command Command #readonly #zset #write #hash #slow #hyperloglog #admin #scan #string #pubsub #list #transaction #set #scripting
  26. 26. Implementation RCP1
  27. 27. bit arrays for commands #1 Command Group Command Index in BitArray
  28. 28. ACL BitArray module 0 Get 1 Set 1 Setnx 0 Setex 0 … … … This user can't use module command
  29. 29. ACL BitArray Module 0 Get 1 Set 1 Setnx 0 Setex 0 … … … This user can use Get command
  30. 30. bit arrays for commands #2 64 * 4 256 bits typedef unsigned long long acl_t;
  31. 31. bit arrays for commands #3
  32. 32. How we can use?
  33. 33. Default User +#ALL -KEYS -FLUSHALL -ADMIN Admin +#ALL Read Only +#ReadOnly
  34. 34. Some Issues for Redis Security • SSL/TLS supporting • Periodic Password Changing
  35. 35. DEMO for RCP1
  36. 36. Thanks

×