Hacker News new | ask | show | jobs
by twic 2939 days ago
Surely the real WTF here is that Redis allows unauthenticated connections over the network at all?

I appreciate that it's too late to go back and change this, as it would break existing installations on upgrade, but perhaps it's worth pointing that out for the benefit of future server developers.

If you want to make things easy for initial setup, you could allow unauthenticated connections over UNIX domain sockets, and/or the loopback interface. And perhaps only if there is no password configured?

If you want to really make it hard for users to screw up, how about requiring the admin to configure a password for remote access, but also generating some random secret on installation or first boot, and requiring both for authentication. Then, even a weak password doesn't make it easy for a remote attacker to gain access.
2 comments
antirez 2939 days ago
Hello twic, since version 4 Redis by default does not accept connections that are not originating from localhost. Yet we have still problems! Please read the blog post for the exact details about why sane defaults were not enough.
link
snowwolf 2939 days ago
I think the point the parent is trying to make is why allow options 1-3 (disable protected mode) at all? Why not require only option 4 to accept non localhost connections?

Although that doesn’t stop someone setting up an install script with a “default” password that becomes known.

link
awinder 2939 days ago
Taking a cursory glance you can find a lot of articles on — exposed MySQL / Postgres servers being infected when they run with weak / default passwords. Exposing your db servers beyond the private network is the problem, kudos for trying to support people, but trying to secure open dbs on the net will always be a cat & mouse game.
link
twic 2939 days ago
That was my point, yes. And my strange suggestion about having an additional server-generated secret was an attempt to secure even servers with weak passwords.
link
twic 2939 days ago
I read the blog post; what i learned from it is that because sane default choices aren't enough, you also have to disallow insane explicit choices!
link
Kiro 2939 days ago
I don't want to bother with authentication if it's within my own private network.
link
brasetvik 2939 days ago
And that's why server side request forgery (SSRF) is so dangerous.
link