Downloaded 13 times
![Examples
#<username> <password> [<acl> <acl> … <acl>]
charsyam "my password" +#all
client "my password" +#readonly
default "" +ping +info
charsyam can execute all commands
client can execute only readonly commands
default user only can run ping and info commands
- default is a user permission before auth step.](https://image.slidesharecdn.com/redisacl-180530113710/85/Redis-acl-23-320.jpg)
Uploaded byDaeMyung Kang
Redis acl
This document discusses Redis access control and the Redis ACL protocol version 1 (RCP1). It provides background on security issues with exposing Redis and Memcached servers publicly without authentication. RCP1 aims to address limitations of the existing requirepass authentication by defining user permissions through command groups and implementing access control using bit arrays. The presenter then demonstrates RCP1.
Redis acl
- 1. Redis ACL -RCP 1 DaeMyung Kang (charsyam@naver.com)
- 2. Who am I? •Software Engineer At Udemy • Redis Contributor • Redis Document Project Committer • https://github.com/antirez/redis-doc • Speaker in RedisConf 2016 • TroubleShooting Redis
- 3. Agenda • What happenedwithout Authentication for Redis? • What is current Redis ACL? • What is RCP1
- 4. What happened without Authenticationfor Redis?
- 5.
- 6. Memcrashed • Memcached DDOSissue not Redis • Memcached is high-performance In-Memory K-V Store • Memcached opened UDP port as Default(11211 port). • Memcached doesn't support Authentication. • It web patched in 28 Feb, 2018
- 7. Memcrashed Attacker Victim UDP Servers UDP Servers UDP Servers 1. IP spoofedRequests They can't verify UDP source 2. Legitimate UDP Response Victim receives huge traffic from Memcached servers
- 8.
- 9. Redis in public •Redis opens 6379 port in public. • Redis runs with Root Permission. • Redis runs without requirepass.
- 10. You are ready tobe Hacked
- 11. How to hackRedis • Using RDB Saving • I don't want to show you the detail steps.
- 12. How to hackRedis #2
- 13. How to hackRedis #3
- 14. Never expose Your Redisin Public
- 15. Redis Status(2018/05/30 :Today) • Globally 17,153 Redis Servers are in Public
- 16. Memcached Status(2018/05/30 :Today) • Globally 37,839 Memcached Servers are in Public
- 17. What is currentRedis ACL?
- 18.
- 19. Limitation of requirepass •if you know password, you can run all commands. • O(N) Commands • KEYS • FLUSHALL • LREM
- 20. rename-command • We canchange command name to another. • or can Disable it • But sometimes we need to use disabled commands for management. • if someone know changed commands • All people will know them. • Still someone can make mistake.
- 21.
- 22. ACL : AccessControl List • Specify who has granted access to objects • In Redis • Specify who is granted to execute specific commands
- 23. Examples #<username> <password> [<acl><acl> … <acl>] charsyam "my password" +#all client "my password" +#readonly default "" +ping +info charsyam can execute all commands client can execute only readonly commands default user only can run ping and info commands - default is a user permission before auth step.
- 24. auth example auth <username><password>
- 25. Command Groups Command Command #readonly#zset #write #hash #slow #hyperloglog #admin #scan #string #pubsub #list #transaction #set #scripting
- 26.
- 27. bit arrays forcommands #1 Command Group Command Index in BitArray
- 28. ACL BitArray module 0 Get 1 Set 1 Setnx 0 Setex 0 … …… This user can't use module command
- 29. ACL BitArray Module 0 Get 1 Set 1 Setnx 0 Setex 0 … …… This user can use Get command
- 30. bit arrays forcommands #2 64 * 4 256 bits typedef unsigned long long acl_t;
- 31. bit arrays forcommands #3
- 32. How we canuse?
- 33.
- 34. Some Issues forRedis Security • SSL/TLS supporting • Periodic Password Changing
- 35.
- 36.