What are the reinforcement measures for Redis cache database?

Sensitive data and encryption protection

1. Password saving (important)

Security issue: The native Redis server password requirepass and masterauth are saved in clear text to redis. conf.

Solution: The server password is encrypted with PBKDF2 and saved to redis.conf.

Considering the performance issues, it will be time-consuming to use PBKDF2 for each authentication. After review, after the first authentication is successful, the memory will be cached with SHA256, and subsequent requests will be verified using SHA256 first.

2. Support key replacement (important)

Security issues: The secret keys involved in encryption and decryption cannot be hard-coded into the code.

Solution: The secret key supports regular replacement.

➤redis server redis-server:

Add configuration item to configuration file: cipher-dir

Configure to the full directory of the folder where redis_shared.key and root.key are located Path, for example: cipher-dir /opt/redis/etc/cipher

➤redis client: redis-cli

Add parameter -cipherdir, pointing to where redis_shared.key and root.key are located Full path to the folder

For example: redis-cli -h 127.0.0.1 -cipherdir /opt/redis/etc/cipher -a sessionrdb@dbuser@Changeme_123 -p 32091

➤redis client End SDK: jedis*.jar

In the same process, the Jedis interface is string, dbname@user@pwd, because the third-party interface (similar to Jdbc) cannot be encrypted.

3. Password transmission (important)

Security issue: Native Redis may obtain sensitive information on the server through the config get command.

Solution: It is forbidden to transmit sensitive information such as passwords to the client, so functions such as config get requirepas/masterauth/requireuserpass need to be disabled.

4. Password modification (important)

Security issue: Change password plain text transmission: config set masterauth pwd

Solution: Redis memory saves plain text password problem: masterauth uses AES128 Encrypted, the password is saved in AES128

Password security

1. The product enables the database password complexity check function by default

Security issue: Redis password change There is no complexity check.

Solution: Provide a separate Redis modification tool to modify the password, pay special attention to the following points:

1. Perform a password complexity check.

2. When entering an incorrect username or password, no overly clear reason prompts such as "Password is wrong" or "Username does not exist" should appear to prevent attackers from guessing the system username/password.

3. To change the password, verify the old password.

4. The database password cannot be the same as the username.

5. Hide the password when changing the password interactively.

6. It is recommended in the documentation to change the password interactively.

2. To prevent brute force cracking, configure the number of failed account login attempts

Security issue: The native version of Redis has brute force cracking.

Solution: Maximum number of failures: maxauthfailtimes (unit times, valid range (0,100,000], default value 10,000)

This setting can only be passed through the redis.conf file at startup Configuration cannot be achieved through dynamic modification, and the corresponding config set operation is disabled.

does not support setting to 0: means not to lock any IP.

3. Configure the automatic unlocking time after the account is locked

Authentication failure lock time: authfaillocktime (unit minute, valid range [0~999], default value 10)

When set to 0, it means permanent locking.

Note: This configuration item only supports redis.conf configuration at startup, and does not support dynamic modification. The corresponding config set is blocked.

4. Check the locked IP

Problem: You need to check the IP after it is locked Locked IP.

Solution:

Only administrators can view the locked IP list, the separator is an English colon (:)
Example 1: config get lockedips
Return: 10.67.147.111;10.67.147.112;
Example 2: config get lockedips
Return: 10.67.147.111;
Note: config set lockedips is not supported. If forced, an error is returned: ERR Unsupported CONFIG parameter : lockedips

5. Unlocking manually locked IP

Only the administrator can execute the command to unlock the locked IP, and only supports unlocking a single IP or unlocking all IPs
Solution:

Example 1, unlock a single IP: config set unlockips 10.67.147.111
Example 2, unlock all IPs: config set unlockips “all”
Description: config get unlockips is not supported, if forced, return empty, redis-cli prompt: (empty list or set)
If there is no exception in the IP in the parameter, unlocking failure will be returned, for example:
(error) ERR Invalid argument '10.67.147.111' for CONFIG SET 'unlockips '

Perform manual unlocking and record trace, for example:
For example: 26 Dec 03:15:19.958 * 10.67.147.113 unlocked by 10.67.147.111:59417 Log audit

6. Security Audit

Redis itself supports logging to the system log, such as /var/log/localmessage. But it needs to be configured as follows in redis.conf:

syslog-enabled yes

syslog-ident redis

syslog-facility local0

2. Customer Log in to the client and record client IP, account and other information.

3. Relevant maintenance operations must have detailed log records.

Example: 29118:S 26 Nov 11:19:29.100 * The readdbuser logged in successfully;10.145.93.119:52817;

7. Operation log dump

Security Problem: The official version of Redis logs will not be dumped, and the disk may be full when running for a long time.

Solution: Run the tracemonitor process (python version) separately, and regularly manage the Redis log file size, mainly log compression and regular deletion, to avoid taking up too much disk.

Note: The current platform defaults to a detection every 60 seconds, the logs can be compressed to 20M, and the maximum number of logs is 50.

The above is the detailed content of What are the reinforcement measures for Redis cache database?. For more information, please follow other related articles on the PHP Chinese website!