It seemed strange to me that the protected mode text warning gives a long winded explanation on 3 ways to disable protected mode first, and leaves the most desireable (change the bind address or password) option for last with a much more brief and less helpful explanation.
I would have done a long detailed explanation on bind addr/password, and a "you can also disable protected mode by looking up how to do it on XXXXX" at the end.
Based on my experience with product design decisions, that detail right there probably had a huge impact on the actual adoption of the desired choice.
I love Redis, and antirez is a genius. The simple solution is usually the most secure: Redis should just bind to localhost by default, unless it's specifically told to bind to other interfaces.
Surely the real WTF here is that Redis allows unauthenticated connections over the network at all?
I appreciate that it's too late to go back and change this, as it would break existing installations on upgrade, but perhaps it's worth pointing that out for the benefit of future server developers.
If you want to make things easy for initial setup, you could allow unauthenticated connections over UNIX domain sockets, and/or the loopback interface. And perhaps only if there is no password configured?
If you want to really make it hard for users to screw up, how about requiring the admin to configure a password for remote access, but also generating some random secret on installation or first boot, and requiring both for authentication. Then, even a weak password doesn't make it easy for a remote attacker to gain access.
Hello twic, since version 4 Redis by default does not accept connections that are not originating from localhost. Yet we have still problems! Please read the blog post for the exact details about why sane defaults were not enough.
I think the point the parent is trying to make is why allow options 1-3 (disable protected mode) at all? Why not require only option 4 to accept non localhost connections?
Although that doesn’t stop someone setting up an install script with a “default” password that becomes known.
Taking a cursory glance you can find a lot of articles on — exposed MySQL / Postgres servers being infected when they run with weak / default passwords. Exposing your db servers beyond the private network is the problem, kudos for trying to support people, but trying to secure open dbs on the net will always be a cat & mouse game.
That was my point, yes. And my strange suggestion about having an additional server-generated secret was an attempt to secure even servers with weak passwords.
I would have done a long detailed explanation on bind addr/password, and a "you can also disable protected mode by looking up how to do it on XXXXX" at the end.
Based on my experience with product design decisions, that detail right there probably had a huge impact on the actual adoption of the desired choice.