機能追加 #602
redisセキュリティ対策
| ステータス: | 商用リリース | 開始日: | 2015/12/11 | |
|---|---|---|---|---|
| 優先度: | 通常 | 期日: | ||
| 担当者: | 山本 義治 | 進捗 %: | 0% | |
| カテゴリ: | サーバ環境構築 | 作業時間の記録: | - | |
| 対象バージョン: | - |
説明
事象¶
外部ユーザーがredisに接続してパスワード上書きされた模様
[redis.log]
2015/12/11 01:41:08 [error] 5143#0: *3389 [lua] event_set.lua:134: failed to get redis key: NOAUTH Authentication required., client: 110.132.122.227, server: ad.i-joji.com, request: "GET /event/set?app_id=halooandroid&app_key=8GMqtuiy7Q28a9YM&user_id=db3da703-7c28-49c7-812d-3d40a9e5aa8d&event_type=ad&label=ad_view HTTP/1.1", host: "ad.i-joji.com"
対策¶
・auth認証
・bind制限
bind 127.0.0.1 192.168.1.3
・iptablesでIP制限
http://redis.io/topics/security
http://antirez.com/news/96
http://cocopoo.com/2015/11/crackredis-io/
履歴
#1 山本 義治 が約10年前に更新
redis-server再起動
[root@ad1 admin]# /etc/init.d/redis stop Stopping ... (error) NOAUTH Authentication required. Waiting for Redis to shutdown ... Waiting for Redis to shutdown ... Waiting for Redis to shutdown ... Waiting for Redis to shutdown ... [root@ad1 admin]# cat /var/run/redis_6379.pid 1536 [root@ad1 admin]# redis-cli -p 6379 shutdown (error) NOAUTH Authentication required. [root@ad1 admin]# service redis-server restart redis-server: 認識されていないサービスです。 [root@ad1 admin]# kill -9 1536 [root@ad1 admin]# rm /var/run/redis_6379.pid [root@ad1 admin]# /etc/init.d/redis start Starting Redis server... [root@ad1 admin]# ps ax | grep redis 7589 ? Ssl 0:00 /usr/local/bin/redis-server *:6379 7594 pts/0 S+ 0:00 grep redis [root@ad1 admin]# redis-cli 127.0.0.1:6379> keys * (empty list or set) 127.0.0.1:6379> ping PONG
#5 山本 義治 が約10年前に更新
datadog設定変更
[root@ad1 admin]# vi /etc/dd-agent/conf.d/redisdb.yaml
password: ******
[root@ad1 admin]# /etc/init.d/datadog-agent info
===================
Collector (v 5.6.1)
===================
Status date: 2015-12-17 16:42:44 (12s ago)
Pid: 28217
Platform: Linux-2.6.32-573.7.1.el6.x86_64-x86_64-with-centos-6.7-Final
Python Version: 2.7.10
Logs: <stderr>, /var/log/datadog/collector.log, syslog:/dev/log
Clocks
======
NTP offset: -0.003 s
System UTC time: 2015-12-17 07:42:57.391871
Paths
=====
conf.d: /etc/dd-agent/conf.d
checks.d: /opt/datadog-agent/agent/checks.d
Hostnames
=========
socket-hostname: ad1.i-joji.com
ec2-hostname: ad1.i-joji.com
hostname: ad1.i-joji.com
socket-fqdn: ad1.i-joji.com
Checks
======
network
-------
- instance #0 [OK]
- Collected 21 metrics, 0 events & 1 service check
ntp
---
- Collected 0 metrics, 0 events & 1 service check
nginx
-----
- instance #0 [OK]
- Collected 7 metrics, 0 events & 2 service checks
redisdb
-------
- instance #0 [ERROR]: 'NOAUTH Authentication required.'
- Collected 0 metrics, 0 events & 2 service checks
- Dependencies:
- redis: 2.10.3
disk
----
- instance #0 [OK]
- Collected 24 metrics, 0 events & 1 service check
Emitters
========
- http_emitter [OK]
===================
Dogstatsd (v 5.6.1)
===================
Status date: 2015-12-17 16:42:55 (2s ago)
Pid: 28215
Platform: Linux-2.6.32-573.7.1.el6.x86_64-x86_64-with-centos-6.7-Final
Python Version: 2.7.10
Logs: <stderr>, /var/log/datadog/dogstatsd.log, syslog:/dev/log
Flush count: 292913
Packet Count: 0
Packets per second: 0.0
Metric count: 1
Event count: 0
Service check count: 0
===================
Forwarder (v 5.6.1)
===================
Status date: 2015-12-17 16:42:57 (1s ago)
Pid: 28216
Platform: Linux-2.6.32-573.7.1.el6.x86_64-x86_64-with-centos-6.7-Final
Python Version: 2.7.10
Logs: <stderr>, /var/log/datadog/forwarder.log, syslog:/dev/log
Queue Size: 0 bytes
Queue Length: 0
Flush Count: 942205
Transactions received: 445643
Transactions flushed: 445643
[root@ad1 admin]# /etc/init.d/datadog-agent restart
Stopping Datadog Agent (using killproc on supervisord): [ OK ]
Starting Datadog Agent (using supervisord): [ OK ]
[root@ad1 admin]# /etc/init.d/datadog-agent info
===================
Collector (v 5.6.1)
===================
Status date: 2015-12-17 16:43:15 (2s ago)
Pid: 9439
Platform: Linux-2.6.32-573.7.1.el6.x86_64-x86_64-with-centos-6.7-Final
Python Version: 2.7.10
Logs: <stderr>, /var/log/datadog/collector.log, syslog:/dev/log
Clocks
======
NTP offset: -0.0003 s
System UTC time: 2015-12-17 07:43:17.371947
Paths
=====
conf.d: /etc/dd-agent/conf.d
checks.d: /opt/datadog-agent/agent/checks.d
Hostnames
=========
socket-hostname: ad1.i-joji.com
hostname: ad1.i-joji.com
socket-fqdn: ad1.i-joji.com
Checks
======
network
-------
- instance #0 [OK]
- Collected 0 metrics, 0 events & 1 service check
ntp
---
- instance #0 [OK]
- Collected 1 metric, 0 events & 2 service checks
nginx
-----
- instance #0 [OK]
- Collected 4 metrics, 0 events & 2 service checks
redisdb
-------
- instance #0 [OK]
- Collected 29 metrics, 0 events & 2 service checks
disk
----
- instance #0 [OK]
- Collected 24 metrics, 0 events & 1 service check
Emitters
========
- http_emitter [OK]
===================
Dogstatsd (v 5.6.1)
===================
Status date: 2015-12-17 16:43:09 (8s ago)
Pid: 9437
Platform: Linux-2.6.32-573.7.1.el6.x86_64-x86_64-with-centos-6.7-Final
Python Version: 2.7.10
Logs: <stderr>, /var/log/datadog/dogstatsd.log, syslog:/dev/log
Flush count: 0
Packet Count: 0
Packets per second: 0
Metric count: 0
Event count: 0
Service check count: 0
===================
Forwarder (v 5.6.1)
===================
Status date: 2015-12-17 16:43:19 (0s ago)
Pid: 9438
Platform: Linux-2.6.32-573.7.1.el6.x86_64-x86_64-with-centos-6.7-Final
Python Version: 2.7.10
Logs: <stderr>, /var/log/datadog/forwarder.log, syslog:/dev/log
Queue Size: 0 bytes
Queue Length: 0
Flush Count: 3
Transactions received: 1
Transactions flushed: 1