The problem
On the 3rd of November 2015, the lead developer of Redis, Salvatore Sanfilippo aka antirez, published a blog post about Redis security. In this blog post, he gave an example of how a user might gain ssh access to a machine if the Redis server is unprotected. This can be especially harmful if the database is being run as root. The process was fairly simple and can be reproduced in a few steps:
- Generate a public/private key pair
- Connect to an unprotected redis server
- Flush the database and set a key with the generated public key
- Change the directory to
~/.ssh/
- Set dbfilename to
authorized_keys
- Save current status
This attack only works if you can connect and authenticate to the Redis instance. However, many databases were running the default settings so they were open to the whole internet and without any authentication. This lead to many users being compromised after the initial post was published.
Now what?
We noticed the blog post a few days later and thought it would be a good idea to have a platform for users to check if their instances were vulnerable. Being vulnerable in this scenario meant:
- We can access the server
- The server doesn’t have authentication
In the command line (using redis-cli) it would be something as simple as:
redis-cli -h ip.add.re.ss echo "NOT SAFE"
If it returns “NOT SAFE” then the server is not safe, since we can execute commands without authentication.
Since it was Friday and we had some time before our beer Friday, we decided to create an online tool to do this, and in a few hours Is Redis All Safe was born.
How we did it
We grabbed a cup of coffee and started coding in Node.js. Similarly to the command line version, what we did was try to create a connection with no authentication. In node this could be done with:
client = redis.createClient(req.body.port,req.body.host,{'max_attempts':1,'auth_pass':'true', 'connect_timeout': 1000});
If this connection is successful we return a message saying that the server is not safe. Otherwise, the server is considered safe since we can’t connect.
We tested it out against several Redis configurations to see if everything was working and afterwards decided to have some fun with the design inspired by Mr. Robot.
By dinner time, everything was ready and it was time to ship it! and enjoy our beer Friday.
Conclusion
This was a very simple project which was implemented in a single day. But, despite its simplicity it reminded us of two important things.
First, the blog post by antirez reminded us that it’s important to read the manual and pay attention to the configurations. Sometimes it’s better to lose an entire day going through configurations and making sure everything is ok, than lose months or years worth of work, plus the time to fix everything, later on.
Finally, our project showed us that creating a tool to help other people can be quite simple and potentially useful for the community.
The Non-Technical Founders survival guide
How to spot, avoid & recover from 7 start-up scuppering traps.
The Non-Technical Founders survival guide: How to spot, avoid & recover from 7 start-up scuppering traps.