Redis acl

•

1 like•1,826 views

DaeMyung Kang

Redis ACL RCP1

Technology

Who am I?
• Software Engineer At Udemy
• Redis Contributor
• Redis Document Project Committer
• https://github.com/antirez/redis-doc
• Speaker in RedisConf 2016
• TroubleShooting Redis

Agenda
• What happened without Authentication for Redis?
• What is current Redis ACL?
• What is RCP1

What happened without
Authentication for Redis?

Memcrashed
• Memcached DDOS issue not Redis
• Memcached is high-performance In-Memory K-V Store
• Memcached opened UDP port as Default(11211 port).
• Memcached doesn't support Authentication.
• It web patched in 28 Feb, 2018

Memcrashed
Attacker
Victim
UDP
Servers
UDP
Servers
UDP
Servers
1. IP spoofed Requests
They can't verify UDP source
2. Legitimate UDP Response Victim receives huge traffic
from Memcached servers

Redis in public
• Redis opens 6379 port in public.
• Redis runs with Root Permission.
• Redis runs without requirepass.

How to hack Redis
• Using RDB Saving
• I don't want to show you the detail steps.

Redis Status(2018/05/30 : Today)
• Globally 17,153 Redis Servers are in Public

Memcached Status(2018/05/30 : Today)
• Globally 37,839 Memcached Servers are in Public

Limitation of requirepass
• if you know password, you can run all commands.
• O(N) Commands
• KEYS
• FLUSHALL
• LREM

rename-command
• We can change command name to another.
• or can Disable it
• But sometimes we need to use disabled commands for management.
• if someone know changed commands
• All people will know them.
• Still someone can make mistake.

ACL : Access Control List
• Specify who has granted access to objects
• In Redis
• Specify who is granted to execute specific commands

Examples
#<username> <password> [<acl> <acl> … <acl>]
charsyam "my password" +#all
client "my password" +#readonly
default "" +ping +info
charsyam can execute all commands
client can execute only readonly commands
default user only can run ping and info commands
- default is a user permission before auth step.

Command Groups
Command Command
#readonly #zset
#write #hash
#slow #hyperloglog
#admin #scan
#string #pubsub
#list #transaction
#set #scripting

bit arrays for commands #1 Command Group
Command Index
in BitArray

ACL BitArray
module
0
Get
1
Set
1
Setnx
0
Setex
0
… … …
This user can't use module command

ACL BitArray
Module
0
Get
1
Set
1
Setnx
0
Setex
0
… … …
This user can use Get command

bit arrays for commands #2
64 * 4
256 bits
typedef unsigned long long acl_t;

Default User
+#ALL
-KEYS
-FLUSHALL
-ADMIN
Admin
+#ALL
Read Only
+#ReadOnly

Some Issues for Redis Security
• SSL/TLS supporting
• Periodic Password Changing

What's hot

Twitter Fatcache

its_skm

LinkedIn’s Kafka deployment is nearing 1300 brokers that move close to 1.3 trillion messages a day. While operating Kafka smoothly even at this scale is testament to both Kafka’s scalability and the operational expertise of LinkedIn SREs we occasionally run into some very interesting bugs at this scale. In this talk I will dive into a production issue that we recently encountered as an example of how even a subtle bug can suddenly manifest at scale and cause a near meltdown of the cluster. We will go over how we detected and responded to the situation, investigated it after the fact and summarize some lessons learned and best-practices from this incident.

Troubleshooting Kafka's socket server: from incident to resolution

Joel Koshy

How to tune Kafka® for production

confluent

View recording here: https://www.confluent.io/online-talks/how-to-fail-at-apache-kafka-on-demand Apache Kafka® is used by thousands of companies across the world but, how difficult is it to operate? Which parameters do you need to set? What can go wrong? This online talk is based on real-world experience of Kafka deployments and explores a collection of common mistakes that are made when running Kafka in production and some best practices to avoid them. Watch now to learn: -How to ensure your Kafka data is never lost -How to write code to cope when things go wrong -How to ensure data governance between producers and consumers -How to monitor your cluster Join Apache Kafka expert, Pete Godfrey, for this engaging talk and delve into best practice ideas and insights.

How to Fail at Kafka

confluent

Redis at LINE

LINE Corporation

Velocity 2010 - ATS

Leif Hedstrom

Testing applications is important, as shows the rise of continuous integration and automated testing. In this talk, I will focus on one area of testing that is difficult to automate: poor network connectivity. Developers usually work within reliable networking conditions so they might not notice issues that arise in other networking conditions. I will give examples of software that would benefit from test scenarios with varying connectivity. I will explain how traffic control on Linux can help to simulate various network connectivity. Finally, I will run a demo showing how an application running in Kubernetes behaves when changing network parameters.

Testing applications with traffic control in containers / Alban Crequy (Kinvolk)

Ontico

Oscon 2010 - ATS

Leif Hedstrom

Redis Replication

Ismaeel Enjreny

Nginx - Tips and Tricks.

Harish S

Usenix lisa 2011

Leif Hedstrom

HighLoad++ 2017 Зал «Кейптаун», 8 ноября, 13:00 Тезисы: http://www.highload.ru/2017/abstracts/2954.html MySQL Replication is powerful and has added a lot of advanced features through the years. In this presentation we will look into replication technology in MySQL 5.7 and variants focusing on advanced features, what do they mean, when to use them and when not, Including. When should you use STATEMENT, ROW or MIXED binary log format? What is GTID in MySQL and MariaDB and why do you want to use them? What is semi-sync replication and how is it different from lossless semi-sync? ...

MySQL Replication — Advanced Features / Петр Зайцев (Percona)

Ontico

Shootout at the AWS Corral

PostgreSQL Experts, Inc.

Salvatore Sanfilippo – How Redis Cluster works, and why In this talk the algorithmic details of Redis Cluster will be exposed in order to show what were the design tensions in the clustered version of an high performance database supporting complex data type, the selected tradeoffs, and their effect on the availability and consistency of the resulting solution.Other non-chosen solutions in the design space will be illustrated for completeness.

Salvatore Sanfilippo – How Redis Cluster works, and why - NoSQL matters Barce...

NoSQLmatters

How to monitor NGINX

Server Density

Cloud Foundry and OpenStack are the biggest Open Source projects in their domain. As IaaS and PaaS walk hand in hand the idea of combining both worlds is close. anynines is running their public Cloud Foundry offering on top of OpenStack for more than three years with two years running on a self-hosted OpenStack setup. As head of public Paas operations Julian Weber has gained a lot of knowledge to share about setting up and operating Cloud Foundry installations. This presentation leads the audience through the journey of adopting the Cloud Foundry Open Source version and breeding it to a highly available and production ready Cloud Foundry setup. The listener is guided through the analysis of potential single points of failure in standard CF Open Source setups up to required changes in the Cloud Foundry OS release to reach our goal. As this talk is about Cloud Foundry operations we also need to talk about experiences with BOSH as a general purpose tool for software lifecycle management of big distributed systems and possible improvements to the BOSH tool set and workflows. The talk will enable advanced DevOps to dive deeper into the technical details of setting up production ready Cloud Foundry installations based on Cloud Foundry Open Source.

Experience Report: Cloud Foundry Open Source Operations | anynines

anynines GmbH

Apache Kafka – (Pattern and) Anti-Pattern

confluent

anynines ran a public PaaS located in a German datacenter based on Cloud Foundry. In more than 12 months of running a Cloud Foundry PaaS man lessons about security, high availability, open stack and many other exciting topics have been learned. See how Bosh can be used and how it shouldn't be used. Learn how to perform Cloud Foundry upgrades and read how to harden Cloud Foundry by adding more fault tolerance with pacemaker.

Running Cloud Foundry for 12 months - An experience report | anynines

anynines GmbH

Микросервисы получают все большую популярность в компаниях по всему миру. Какие организационные и технические проблемы они помогают решать? С какого момента монолиты перестают справляться с растущей нагрузкой на ваш сервис? Почему Zalando -- самый большой онлайн-ретейлер в Европе -- выбрал микросервисы в качестве главной архитектуры для новых проектов? Помогая в решении организационных проблем быстрорастущей компании, микросервисы ставят новые технические задачи, одной из которых, помимо увеличения сложности системы в целом, является проблема безопасного обмена сообщениями между микросервисами, удобной интеграции данных и возможности их корреляции и анализа. Слушатели узнают, как в Zalando решают эту проблему с использованием централизованной шины передачи данных -- Nakadi. Получат представление о тех проблемах, которые их могут поджидать при выборе похожей архитектуры на примере проблем выбора формата передачи данных, системы версионирования формата сообщений и сложностей эксплуатации высоконагруженных кластеров Kafka в облачной системе AWS.

События, шины и интеграция данных в непростом мире микросервисов / Валентин Г...

Ontico

Like many other messaging systems, Kafka has put limit on the maximum message size. User will fail to produce a message if it is too large. This limit makes a lot of sense and people usually send to Kafka a reference link which refers to a large message stored somewhere else. However, in some scenarios, it would be good to be able to send messages through Kafka without external storage. At LinkedIn, we have a few use cases that can benefit from such feature. This talk covers our solution to send large message through Kafka without additional storage.

Handle Large Messages In Apache Kafka

Jiangjie Qin

What's hot (20)

Twitter Fatcache

Troubleshooting Kafka's socket server: from incident to resolution

How to tune Kafka® for production

How to Fail at Kafka

Redis at LINE

Velocity 2010 - ATS

Testing applications with traffic control in containers / Alban Crequy (Kinvolk)

Oscon 2010 - ATS

Redis Replication

Nginx - Tips and Tricks.

Usenix lisa 2011

MySQL Replication — Advanced Features / Петр Зайцев (Percona)

Shootout at the AWS Corral

Salvatore Sanfilippo – How Redis Cluster works, and why - NoSQL matters Barce...

How to monitor NGINX

Experience Report: Cloud Foundry Open Source Operations | anynines

Apache Kafka – (Pattern and) Anti-Pattern

Running Cloud Foundry for 12 months - An experience report | anynines

События, шины и интеграция данных в непростом мире микросервисов / Валентин Г...

Handle Large Messages In Apache Kafka

Similar to Redis acl

Redis

Hung-yu Lin

Redis everywhere - PHP London

Ricard Clau

Redis by-hari

Hari Bachala

Developing a Redis Module - Hackathon Kickoff

Itamar Haber

Mini-Training: Redis

Betclic Everest Group Tech Team

CNIT 128 7. Attacking Android Applications (Part 3)

Sam Bowne

REDIS327

Rajan Bhatt

Redis Security

Ismaeel Enjreny

[若渴計畫] Challenges and Solutions of Window Remote Shellcode

Aj MaChInE

Windows Malware Techniques

Lee C

"Defenders have been slowly adapting to the new reality: Any organization is a target. They bought boxes that blink and software that floods the SOC with alerts. None of this matters as much as how administration is performed: Pop an admin, own the system. Admins are being dragged into a new paradigm where they have to more securely administer the environment. What does this mean for the pentester or Red Teamer? Admins are gradually using better methods like two-factor and more secure administrative channels. Security is improving at many organizations, often quite rapidly. If we can quickly identify the way that administration is being performed, we can better highlight the flaws in the admin process. This talk explores some common methods Active Directory administrators (and others) use to protect their admin credentials and the flaws with these approaches. New recon methods will be provided on how to identify if the org uses an AD Red Forest (aka Admin Forest) and what that means for one hired to test the organization's defenses, as well as how to successfully avoid the Red Forest and still be successful on an engagement. Some of the areas explored in this talk: Current methods organizations use to administer Active Directory and the weaknesses around them. Using RODCs in the environment in ways the organization didn't plan for (including persistence). Exploiting access to agents typically installed on Domain Controllers and other highly privileged systems to run/install code when that's not their typical purpose. Discovering and exploiting an AD forest that leverages an AD Admin Forest (aka Red Forest) without touching the Admin Forest. If you are wondering how to pentest/red team against organizations that are improving their defenses, this talk is for you. If you are a blue team looking for inspiration on effective defenses, this talk is also for you to gain better insight into how you can be attacked."

Exploiting Active Directory Administrator Insecurities

Priyanka Aash

Redis Labs manages over 160k+ HA databases, 10k clustered databases, without data loss in spite of one node failure a day and one data center outage per month. Using Enterprise Redis(RLEC), Redis Labs delivers seamless zero downtime scaling, true high availability with persistence, cross-rack/zone/ datacenter replication and instant automatic failover. Learn how. Join this session for a deep dive into how enterprise Redis makes for no-hassle Redis deployments and the roadmap for new Redis capabilities. Discover new cost savings with Redis on Flash for cost-effective high performance operations and analytics

What's new with enterprise Redis - Leena Joshi, Redis Labs

Redis Labs

Handling Redis failover with ZooKeeper

ryanlecompte

(DAT407) Amazon ElastiCache: Deep Dive

Amazon Web Services

Exploiting NoSQL Like Never Before

Francis Alexander

apidays New York 2023 APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media May 16 & 17, 2023 Putting yourself out there - how to secure your public APIs Dan Erez, Architecture Team Lead at AT&T ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays New York 2023 - Putting yourself out there - how to secure your publi...

apidays

Redis Everywhere - Sunshine PHP

Ricard Clau

Troubleshooting Redis- DaeMyung Kang, Kakao

Redis Labs

44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Francis Alexander The rise of NoSQL databases and their simplicity has made corporates as well as end users have started to move towards NoSQL,However is it safe?.Does NoSQL mean we will not have to worry about Injection attacks. Yes We Do. This paper concentrates on exploiting NoSQL DB’s especially with its reach towards Mongodb,Couchdb and Redis and automating it using the NoSQL Exploitation Framework.

44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...

44CON

Ch 6: The Wild World of Windows

Sam Bowne

Similar to Redis acl (20)

Redis

Redis everywhere - PHP London

Redis by-hari

Developing a Redis Module - Hackathon Kickoff

Mini-Training: Redis

CNIT 128 7. Attacking Android Applications (Part 3)

REDIS327

Redis Security

[若渴計畫] Challenges and Solutions of Window Remote Shellcode

Windows Malware Techniques

Exploiting Active Directory Administrator Insecurities

What's new with enterprise Redis - Leena Joshi, Redis Labs

Handling Redis failover with ZooKeeper

(DAT407) Amazon ElastiCache: Deep Dive

Exploiting NoSQL Like Never Before

apidays New York 2023 - Putting yourself out there - how to secure your publi...

Redis Everywhere - Sunshine PHP

Troubleshooting Redis- DaeMyung Kang, Kakao

44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...

Ch 6: The Wild World of Windows

Recently uploaded

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Real Time Object Detection Using Open CV

Khem

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

MINDCTI Revenue Release Quarter One 2024

MIND CTI

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Scaling API-first – The story of a global engineering organization

Radu Cotescu

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Recently uploaded (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Tata AIG General Insurance Company - Insurer Innovation Award 2024

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Strategies for Landing an Oracle DBA Job as a Fresher

Real Time Object Detection Using Open CV

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

MINDCTI Revenue Release Quarter One 2024

GenAI Risks & Security Meetup 01052024.pdf

Boost PC performance: How more available memory can improve productivity

Axa Assurance Maroc - Insurer Innovation Award 2024

Scaling API-first – The story of a global engineering organization

Powerful Google developer tools for immediate impact! (2023-24 C)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Apidays New York 2024 - The value of a flexible API Management solution for O...

Artificial Intelligence: Facts and Myths

🐬 The future of MySQL is Postgres 🐘

Redis acl

1. Redis ACL - RCP 1 DaeMyung Kang (charsyam@naver.com)

2. Who am I? • Software Engineer At Udemy • Redis Contributor • Redis Document Project Committer • https://github.com/antirez/redis-doc • Speaker in RedisConf 2016 • TroubleShooting Redis

3. Agenda • What happened without Authentication for Redis? • What is current Redis ACL? • What is RCP1

4. What happened without Authentication for Redis?

5. Memcrashed

6. Memcrashed • Memcached DDOS issue not Redis • Memcached is high-performance In-Memory K-V Store • Memcached opened UDP port as Default(11211 port). • Memcached doesn't support Authentication. • It web patched in 28 Feb, 2018

7. Memcrashed Attacker Victim UDP Servers UDP Servers UDP Servers 1. IP spoofed Requests They can't verify UDP source 2. Legitimate UDP Response Victim receives huge traffic from Memcached servers

8. Redis in public

9. Redis in public • Redis opens 6379 port in public. • Redis runs with Root Permission. • Redis runs without requirepass.

10. You are ready to be Hacked

11. How to hack Redis • Using RDB Saving • I don't want to show you the detail steps.

12. How to hack Redis #2

13. How to hack Redis #3

14. Never expose Your Redis in Public

15. Redis Status(2018/05/30 : Today) • Globally 17,153 Redis Servers are in Public

16. Memcached Status(2018/05/30 : Today) • Globally 37,839 Memcached Servers are in Public

17. What is current Redis ACL?

18. Redis only support requirepass

19. Limitation of requirepass • if you know password, you can run all commands. • O(N) Commands • KEYS • FLUSHALL • LREM

20. rename-command • We can change command name to another. • or can Disable it • But sometimes we need to use disabled commands for management. • if someone know changed commands • All people will know them. • Still someone can make mistake.

21. RCP1 Redis ACL

22. ACL : Access Control List • Specify who has granted access to objects • In Redis • Specify who is granted to execute specific commands

23. Examples #<username> <password> [<acl> <acl> … <acl>] charsyam "my password" +#all client "my password" +#readonly default "" +ping +info charsyam can execute all commands client can execute only readonly commands default user only can run ping and info commands - default is a user permission before auth step.

24. auth example auth <username> <password>

25. Command Groups Command Command #readonly #zset #write #hash #slow #hyperloglog #admin #scan #string #pubsub #list #transaction #set #scripting

26. Implementation RCP1

27. bit arrays for commands #1 Command Group Command Index in BitArray

28. ACL BitArray module 0 Get 1 Set 1 Setnx 0 Setex 0 … … … This user can't use module command

29. ACL BitArray Module 0 Get 1 Set 1 Setnx 0 Setex 0 … … … This user can use Get command

30. bit arrays for commands #2 64 * 4 256 bits typedef unsigned long long acl_t;

31. bit arrays for commands #3

32. How we can use?

33. Default User +#ALL -KEYS -FLUSHALL -ADMIN Admin +#ALL Read Only +#ReadOnly

34. Some Issues for Redis Security • SSL/TLS supporting • Periodic Password Changing

35. DEMO for RCP1

36. Thanks

Redis acl

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Redis acl

Similar to Redis acl (20)

More from DaeMyung Kang

More from DaeMyung Kang (20)

Recently uploaded

Recently uploaded (20)

Redis acl