• 关于 Redis 访问安全性的问题


    升级版本

    3.0.2 版本升级到 redis-3.2.0 版本远程无法访问,比较配置文件有些变化,比如默认只能本地的机器才能访问

    3.0.2 版本
    # By default Redis listens for connections from all the network interfaces
    # available on the server. It is possible to listen to just one or multiple
    # interfaces using the "bind" configuration directive, followed by one or
    # more IP addresses.
    #
    # Examples:
    #
    # bind 192.168.1.100 10.0.0.1
    # bind 127.0.0.1

    redis-3.2.0版本
    # By default, if no "bind" configuration directive is specified, Redis listens
    # for connections from all the network interfaces available on the server.
    # It is possible to listen to just one or multiple selected interfaces using
    # the "bind" configuration directive, followed by one or more IP addresses.
    #
    # Examples:
    #
    # bind 192.168.1.100 10.0.0.1
    # bind 127.0.0.1 ::1
    #
    # ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
    # internet, binding to all the interfaces is dangerous and will expose the
    # instance to everybody on the internet. So by default we uncomment the
    # following bind directive, that will force Redis to listen only into
    # the IPv4 lookback interface address (this means Redis will be able to
    # accept connections only from clients running into the same computer it
    # is running).
    #
    # IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
    # JUST COMMENT THE FOLLOWING LINE.
    # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    # bind 127.0.0.1

    # Protected mode is a layer of security protection, in order to avoid that
    # Redis instances left open on the internet are accessed and exploited.
    #
    # When protected mode is on and if:
    #
    # 1) The server is not binding explicitly to a set of addresses using the
    #    "bind" directive.
    # 2) No password is configured.
    #
    # The server only accepts connections from clients connecting from the
    # IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
    # sockets.
    #
    # By default protected mode is enabled. You should disable it only if
    # you are sure you want clients from other hosts to connect to Redis
    # even if no authentication is configured, nor a specific set of interfaces
    # are explicitly listed using the "bind" directive.
    protected-mode yes

    安全
    ##Redis 配置
    http://redis.io/download
    http://redis.io/documentation
    ######编译包
    yum update
    yum -y install gcc gcc-c++ autoconf automake make
    ######下载编译

    wget http://download.redis.io/releases/redis-3.2.0.tar.gz
    tar xzf redis-3.2.0.tar.gz
    cd redis-3.2.0
    make

    ######编译测试
    yum install tcl
    make test
    ######注释bind
    # bind 127.0.0.1
    ######守护进程启动
    daemonize yes
    #保护模式[无密码模式设置为no]
    protected-mode no
    #设置密码
    requirepass test
    ######数据文件路径
    dir /opt/data/
    ######日志文件路径
    logfile "/opt/data/redis.log"
    ######缓存数据名称
    dbfilename dump.rdb
    #查看防火墙关闭状态
    service iptables status
    ######关闭命令
    service iptables stop
    ######永久关闭防火墙
    chkconfig iptables off
    ######主从
    配置一个从服务器非常简单,只要在配置文件中增加以下的这一行就可以了:
    slaveof 192.168.210.31 6379
    SLAVEOF 192.168.210.31 6379
    ######启动
    src/redis-server /opt/redis-3.2.0/redis.conf
    ######测试
    $ src/redis-cli
    redis> set foo bar
    OK
    redis> get foo
    "bar"
    ######查看进程
    ps -ef | grep redis
    ######杀死进程
    kill -9 25946

    监控

    监控是使用的Opserver,启用了密码后,官方也没有相关配置的文档,调试了代码,强制设置了默认的密码。

    image

    REFER:
    请务必注意 Redis 安全配置,否则将导致轻松被入侵
    https://ruby-china.org/topics/28094
    记一次Redis被攻击的事件
    http://www.cnblogs.com/yangecnu/p/An-Production-Accidents-Caused-by-Redis-Attacked.html
    Redis 未授权访问缺陷可轻易导致系统被黑
    http://www.oschina.net/news/67975/redis-defect
    Redis3.0与3.2文件对比
    https://carlosfu.iteye.com/blog/2303254

  • 相关阅读:
    thinkinginjava学习笔记07_多态
    thinkinginjava学习笔记06_复用类
    thinkinginjava学习笔记05_访问权限
    thinkinginjava学习笔记04_初始化与清理
    thinkinginjava学习笔记03_基本语法
    thinkinginjava学习笔记02_对象
    关于药物刺激引起的突变
    通路共出现
    关于reference-free去卷积
    一些研究生期间的反思
  • 原文地址:https://www.cnblogs.com/Irving/p/5590691.html
Copyright © 2020-2023  润新知