Redis RU330课程 Redis Security 第2周学习笔记

Introduction and Principle of Least Privilege

Overview and Principle of Least Privilege

Jerome Saltzer,美国计算机科学家。

Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job

最小权限保证了被攻破时影响最小。

Redis Horror Story #2

ransom:赎金
https://duo.com/decipher/over-18000-redis-instances-targeted-by-fake-ransomware
教训:

  • 启用认证或ACL
  • 不用特权用户(root或具有sudo权限的用户)运行Redis
  • 最小权限原则

一些危险的命令如CONFIG,在企业版已完全禁用。

Access Control Lists

ACL命令属于server类:

127.0.0.1:6379> help @server

  ACL CAT [categoryname]
  summary: List the ACL categories or the commands inside a category
  since: 6.0.0

  ACL DELUSER username [username ...]
  summary: Remove the specified ACL users and the associated rules
  since: 6.0.0

  ACL GENPASS [bits]
  summary: Generate a pseudorandom secure password to use for ACL users
  since: 6.0.0

  ACL GETUSER username
  summary: Get the rules for a specific ACL user
  since: 6.0.0

  ACL HELP -
  summary: Show helpful text about the different subcommands
  since: 6.0.0

  ACL LIST -
  summary: List the current ACL rules in ACL config file format
  since: 6.0.0

  ACL LOAD -
  summary: Reload the ACLs from the configured ACL file
  since: 6.0.0

  ACL LOG [count or RESET]
  summary: List latest events denied because of ACLs in place
  since: 6.0.0

  ACL SAVE -
  summary: Save the current ACL rules in the configured ACL file
  since: 6.0.0

  ACL SETUSER username [rule [rule ...]]
  summary: Modify or create the rules for a specific ACL user
  since: 6.0.0

  ACL USERS -
  summary: List the username of all the configured ACL rules
  since: 6.0.0

  ACL WHOAMI -
  summary: Return the name of the user associated to the current connection
  since: 6.0.0

  BGREWRITEAOF -
  summary: Asynchronously rewrite the append-only file
  since: 1.0.0

  BGSAVE [SCHEDULE]
  summary: Asynchronously save the dataset to disk
  since: 1.0.0

  COMMAND -
  summary: Get array of Redis command details
  since: 2.8.13

  COMMAND COUNT -
  summary: Get total number of Redis commands
  since: 2.8.13

  COMMAND GETKEYS -
  summary: Extract keys given a full Redis command
  since: 2.8.13

  COMMAND INFO command-name [command-name ...]
  summary: Get array of specific Redis command details
  since: 2.8.13

  CONFIG GET parameter
  summary: Get the value of a configuration parameter
  since: 2.0.0

  CONFIG RESETSTAT -
  summary: Reset the stats returned by INFO
  since: 2.0.0

  CONFIG REWRITE -
  summary: Rewrite the configuration file with the in memory configuration
  since: 2.8.0

  CONFIG SET parameter value
  summary: Set a configuration parameter to the given value
  since: 2.0.0

  DBSIZE -
  summary: Return the number of keys in the selected database
  since: 1.0.0

  DEBUG OBJECT key
  summary: Get debugging information about a key
  since: 1.0.0

  DEBUG SEGFAULT -
  summary: Make the server crash
  since: 1.0.0

  FLUSHALL [ASYNC]
  summary: Remove all keys from all databases
  since: 1.0.0

  FLUSHDB [ASYNC]
  summary: Remove all keys from the current database
  since: 1.0.0

  INFO [section]
  summary: Get information and statistics about the server
  since: 1.0.0

  LASTSAVE -
  summary: Get the UNIX time stamp of the last successful save to disk
  since: 1.0.0

  LATENCY DOCTOR -
  summary: Return a human readable latency analysis report.
  since: 2.8.13

  LATENCY GRAPH event
  summary: Return a latency graph for the event.
  since: 2.8.13

  LATENCY HELP -
  summary: Show helpful text about the different subcommands.
  since: 2.8.13

  LATENCY HISTORY event
  summary: Return timestamp-latency samples for the event.
  since: 2.8.13

  LATENCY LATEST -
  summary: Return the latest latency samples for all events.
  since: 2.8.13

  LATENCY RESET [event [event ...]]
  summary: Reset latency data for one or more events.
  since: 2.8.13

  LOLWUT [VERSION version]
  summary: Display some computer art and the Redis version
  since: 5.0.0

  MEMORY DOCTOR -
  summary: Outputs memory problems report
  since: 4.0.0

  MEMORY HELP -
  summary: Show helpful text about the different subcommands
  since: 4.0.0

  MEMORY MALLOC-STATS -
  summary: Show allocator internal stats
  since: 4.0.0

  MEMORY PURGE -
  summary: Ask the allocator to release memory
  since: 4.0.0

  MEMORY STATS -
  summary: Show memory usage details
  since: 4.0.0

  MEMORY USAGE key [SAMPLES count]
  summary: Estimate the memory usage of a key
  since: 4.0.0

  MODULE LIST -
  summary: List all modules loaded by the server
  since: 4.0.0

  MODULE LOAD path [arg]
  summary: Load a module
  since: 4.0.0

  MODULE UNLOAD name
  summary: Unload a module
  since: 4.0.0

  MONITOR -
  summary: Listen for all requests received by the server in real time
  since: 1.0.0

  PSYNC replicationid offset
  summary: Internal command used for replication
  since: 2.8.0

  REPLICAOF host port
  summary: Make the server a replica of another instance, or promote it as master.
  since: 5.0.0

  ROLE -
  summary: Return the role of the instance in the context of replication
  since: 2.8.12

  SAVE -
  summary: Synchronously save the dataset to disk
  since: 1.0.0

  SHUTDOWN [NOSAVE|SAVE]
  summary: Synchronously save the dataset to disk and then shut down the server
  since: 1.0.0

  SLAVEOF host port
  summary: Make the server a replica of another instance, or promote it as master. Deprecated starting with Redis 5. Use REPLICAOF instead.
  since: 1.0.0

  SLOWLOG subcommand [argument]
  summary: Manages the Redis slow queries log
  since: 2.2.12

  SWAPDB index1 index2
  summary: Swaps two Redis databases
  since: 4.0.0

  SYNC -
  summary: Internal command used for replication
  since: 1.0.0

  TIME -
  summary: Return the current server time
  since: 2.6.0

ACL Concepts

Redis 6.0以后支持ACL,即允许多个用户,可以按用户赋权。

ACL的好处:

  • 限制命令和key
  • 攻破时限制影响

用户可以分配角色,例如Pub/Sub模型中的只读角色和读写角色。
基于角色的控制(RBAC)只有Redis企业版支持。

Practical ACLs with Redis

ACL commands at Redis.io

ACL documentation at Redis.io

首先创建管理员用户:

acl setuser adm01 on >Welcome1 +@admin

然后以管理员用户登录:

127.0.0.1:6379> auth adm01 Welcome1
OK
127.0.0.1:6379> config get *
  1) "rdbchecksum"
  2) "yes"
  3) "daemonize"
  4) "no"
  ...
127.0.0.1:6379> acl list
1) "user adm01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -@all +@admin"
2) "user default on #1b58ee375b42e41f0e48ef2ff27d10a5b1f6924a9acdcdba7cae868e7adce6bf ~* +@all"

创建管理员用户后,按最小权限原则,就可以禁止default用户。

acl setuser default off

然后创建开发用户。

acl setuser dev01 on >Welcome1 allcommands -@dangerous +acl|whoami allkeys

然后用开发者dev01登录,>后跟的是口令:

127.0.0.1:6379> auth dev01 Welcome1
OK
127.0.0.1:6379> acl whoami
"dev01"
127.0.0.1:6379> acl list
(error) NOPERM this user has no permissions to run the 'acl' command or its subcommand

127.0.0.1:6379> keys *
(error) NOPERM this user has no permissions to run the 'keys' command or its subcommand
127.0.0.1:6379> config get *
(error) NOPERM this user has no permissions to run the 'config' command or its subcommand
127.0.0.1:6379> set foo bar
OK
127.0.0.1:6379> get foo
"bar"

查看属于危险类的命令:

127.0.0.1:6379> acl cat dangerous
 1) "role"
 2) "acl"
 3) "swapdb"
 4) "psync"
 5) "debug"
 6) "pfdebug"
 7) "slowlog"
 8) "restore"
 9) "bgrewriteaof"
10) "keys"
11) "bgsave"
12) "latency"
13) "slaveof"
14) "info"
15) "sort"
16) "flushall"
17) "client"
18) "flushdb"
19) "save"
20) "pfselftest"
21) "cluster"
22) "config"
23) "module"
24) "replconf"
25) "lastsave"
26) "migrate"
27) "shutdown"
28) "replicaof"
29) "restore-asking"
30) "monitor"
31) "sync"

查看ACL命令的分类:

127.0.0.1:6379> acl cat
 1) "keyspace"
 2) "read"
 3) "write"
 4) "set"
 5) "sortedset"
 6) "list"
 7) "hash"
 8) "string"
 9) "bitmap"
10) "hyperloglog"
11) "geo"
12) "stream"
13) "pubsub"
14) "admin"
15) "fast"
16) "slow"
17) "blocking"
18) "dangerous"
19) "connection"
20) "transaction"
21) "scripting"

最后,创建应用用户。

acl setuser app01 on >Welcome1 +set +get ~cache:*

然后以应用用户登录:

127.0.0.1:6379> auth app01 Welcome1
OK
127.0.0.1:6379> set data:123 hello
(error) NOPERM this user has no permissions to access one of the keys used as arguments
127.0.0.1:6379> set cache:123 hello
OK
127.0.0.1:6379> get cache:123
"hello"

Administering Redis ACLs

可以将用户定义在ACL文件中,当然此时不能同时定义user:

$ cat redis.conf |grep ^aclfile
aclfile /home/vagrant/redis-stable/users.acl

# user default on >foobared allcommands allkeys

ACL文件内容:

$ cat users.acl
user default off
user adm01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 +@admin
user dev01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 allcommands -@dangerous +acl|whoami allkeys
user app01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 +set +get ~cache:*

其中#后跟的是口令,使用sha256sum生成的:

$ echo -n 'Welcome1'|sha256sum
7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0  -

启用ACL后,一些系统参数需改变,如openfiles等。方法参加这里

新建的用户也会存放在ACL文件中:

$ redis-cli
127.0.0.1:6379> auth adm01 Welcome1
OK
127.0.0.1:6379> acl setuser user01 on >Welcome1 +@admin
OK
127.0.0.1:6379> acl list
1) "user adm01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -@all +@admin"
2) "user app01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 ~cache:* -@all +set +get"
3) "user default off -@all"
4) "user dev01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 ~* +@all -@dangerous +acl|whoami"
5) "user user01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -@all +@admin"
127.0.0.1:6379> acl save
OK
127.0.0.1:6379> acl save
OK
127.0.0.1:6379> exit
[vagrant@ol7-vagrant redis-stable]$ cat users.acl
user adm01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -@all +@admin
user app01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 ~cache:* -@all +set +get
user default off -@all
user dev01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 ~* +@all -@dangerous +acl|whoami
user user01 on #7e19e31ae82d749034fc921f777f717ba5b57c6add9add889eb536ac6effcde0 -@all +@admin

ACL LOAD可以将ACL文件加载到生产系统的Redis中。

Security Tip #2: Dangerous Commands

危险命令分为3类:

  • 管理命令造成安全风险,如CONFIG,LASTSAVE
  • 影响性能,如KEYS
  • 影响可用性,如FLUSHDB,FLUSHALL,SHUTDOWN

Security Tip #3: Redis Logging

和安全相关的log包括ACL log和Redis Server Log。
ACL Log会记录所有失败的ACL尝试,包括认证,命令执行和Key访问。ACL Log存于内存,默认128条。ACL LOG可以显示日志。

Redis Log File中的信息对于调试和故障诊断很有用,在redis.conf中可配置4种日志级别:

  • WARNING
  • NOTICE
  • VERBOSE
  • DEBUG

也可以将日志发送到远端syslog服务器,详见syslog-enabled, syslog-ident 和 syslog-facility参数。

An Attacker’s Perspective

hit the jackpot:中头彩

有两类攻击者,先来看窃取型:

# 大致了解key
SCAN 0 COUNT 5
# 详细查看key
KEYS *
# 监控所有命令
MONITOR 
# 查看key类型
TYPE <keyname>
# 利用相应类型命令查看数据
HGETALL <keyname>
# 建立用户以便后续登录
ACL SETUSER appuser on >password +@all ~*

再来看破坏型:

# 将数据迁移到另一Redis
MIGRATE ...
# 删除数据
FLUSHALL
已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 撸撸猫 设计师:C马雯娟 返回首页