Skip to content

Instantly share code, notes, and snippets.

@antirez
Last active November 26, 2020 07:18
Show Gist options
  • Save antirez/12d60c950fbfd8c8837e to your computer and use it in GitHub Desktop.
Save antirez/12d60c950fbfd8c8837e to your computer and use it in GitHub Desktop.
For white hat hackers setting passwords to open Redis instances

Dear white hat attackers,

recently we observed a number of Redis instances that were targeted by a simple attack, consisting in setting a password using the CONFIG SET requirepass <password> command to instances which are left open on the internet.

This is, in my opinion, a good idea, since those Redis instances are going to be cracked anyway. I believe you are doing this in order to make Redis users aware they forgot to setup firewalling rules in order to make their instances not reachable from the outside.

However you should NOT DO IT since it is NOT LEGAL, and you may incur into very bad consequences for doing this. However if you will not stop doing this, here are a few tips in order to mitigate the side effects this has in the attacked instances.

Your attack causes a DOS, but is better than the DOS with possible data loss, and unauthorized access to the instance, that a real attack will cause. The reason why those instances are going to be cracked anyway is that after I published an example attack against Redis left open, a number of attackers activated to exploit it, we get reports every day.

However you can improve your script in order to provide more clues to the people you are targeting:

  1. You may set a message, as the password itself, by usign CONFIG SET requirepass "your instance is left open on the internet, please setup firewalling". Followed by CONFIG REWRITE in order to persist the configuration in redis.conf. People will check their configuration file after seeing the -AUTH errors, and will understand what is happening.

  2. You may want to also send a Lua script using the redis.log() command, in order to also leave a similar message on the Redis log. Something like this works:

    EVAL 'redis.log(redis.LOG_WARNING,"Your Message Here")' 0

This way we can allow people to more promptly understand what happened and recover. Also if possible, you should try to concentrate your attacks in the time of day in the intersection of office hours of the most countries where you believe you'll have an impact, so the DOS is not performed during night, which may result into people having to be called in the middle of the night to fix stuff.

EDIT: Please make sure, if you set a password which is a message, to also add some random string at the end so that it's not guessable by an external attacker.

Regards, Salvatore

@Acidcow
Copy link

Acidcow commented Dec 22, 2015

I Applaud your faith in the hacker community and mankind in general. I can also understand the need for a letter like this for those installations out there that are running and unlikely to be upgraded or attended to any time soon.

...but, why not simply bolt in some additional safety checks for Redis to automatigically detect such a state and alert the admin/user to the issue and provide documentation (or link thereto) to resolve the issue OR up-front during installation/setup simply bolster down the necessary security as a required step.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment