Are you suffering attacks to your servers?

Sergio sergio.fernandez at electronicamartinez.com
Fri Aug 19 18:10:18 EDT 2016


Hi! Thank you for your answer.

Using netstat shows as binded to loopback interface, 127.0.0.1. This is 
normal, redis is running in protected mode.

I tried to nmap to the port 6379 from another server, and, surprisingly, 
I found the port is open.
This is the output:

*Command*: nmap -p 6379 -T4 -A -v my.server.ip

/Starting Nmap 7.12SVN ( https://nmap.org ) at 2016-08-20 00:01 CEST//
//NSE: Loaded 138 scripts for scanning.//
//NSE: Script Pre-scanning.//
//Initiating NSE at 00:01//
//Completed NSE at 00:01, 0.00s elapsed//
//Initiating NSE at 00:01//
//Completed NSE at 00:01, 0.00s elapsed//
//Initiating Ping Scan at 00:01//
//Scanning XXXXXXXXXXX [2 ports]//
//Completed Ping Scan at 00:01, 0.09s elapsed (1 total hosts)//
//Initiating Parallel DNS resolution of 1 host. at 00:01//
//Completed Parallel DNS resolution of 1 host. at 00:01, 0.02s elapsed//
//Initiating Connect Scan at 00:01//
//Scanning XXXXXXXXXXXX [1 port]//
//Discovered open port 6379/tcp on XXXXXXXXXX//
//Completed Connect Scan at 00:01, 0.08s elapsed (1 total ports)//
//Initiating Service scan at 00:01//
//Scanning 1 service on XXXXXXXXXXXX//
//Completed Service scan at 00:02, 16.34s elapsed (1 service on 1 host)//
//NSE: Script scanning XXXXXXXXXXX.//
//Initiating NSE at 00:02//
//Completed NSE at 00:02, 0.08s elapsed//
//Initiating NSE at 00:02//
//Completed NSE at 00:02, 0.00s elapsed//
//Nmap scan report for XXXXXXXXXXXXXX//
//Host is up (0.087s latency).//
//PORT     STATE SERVICE VERSION//
//6379/tcp open  redis   Redis key-value store//
//
//NSE: Script Post-scanning.//
//Initiating NSE at 00:02//
//Completed NSE at 00:02, 0.00s elapsed//
//Initiating NSE at 00:02//
//Completed NSE at 00:02, 0.00s elapsed//
//Read data files from: /usr/local/bin/../share/nmap//
//Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .//
//Nmap done: 1 IP address (1 host up) scanned in 17.11 seconds/


El 17/08/16 a las 13:23, h0rst escribió:
> Hi there!
>
> Did u actually verify (i.e using netstat) that your redis instance is only listening
> on localhost and not on any other interface/ip? Are you sure that the mentioned config
> file is really used by redis?
>
> I mean, it would be pretty difficult for a remote attacker to exploit any service
> running on localhost ;)
>
> Kind regards,
> Sebastian
>
> ----- Original Message -----
> From: "Sergio" <sergio.fernandez at electronicamartinez.com>
> To: "Community support for GenieACS users" <users at lists.genieacs.com>
> Sent: Friday, August 12, 2016 1:51:22 PM
> Subject: Re: Are you suffering attacks to your servers?
>
> Good morning! Thank you for your answers, Dan and Manny.
>
> The variants that you both have told me are great, but in our service,
> we can't restrict via IP or VLAN. On the other hand, we will implement
> in the near future the "only allow HTTP POSTs".
>
> I have been reading Slashdot this morning. And, to my surprise, I read
> this article:
> https://linux.slashdot.org/story/16/08/10/237230/linux-trojan-mines-for-cryptocurrency-using-misconfigured-redis-servers
>
> This was the exact thing that happened to me, as I described below. So I
> started to search how could I protect myself of this problems. So I
> found this page http://redis.io/topics/security that tell us to bind the
> Redis listening IP to the loopback interface.
>
> So I searched for the /etc/redis/redis.conf file and it was already set.
>
> So the next step is to configure a password. But here the problem
> arises. I will be following this guide
> https://www.digitalocean.com/community/tutorials/how-to-secure-your-redis-installation-on-ubuntu-14-04
>
> But the problem is, how can I configure GenieACS to work with a
> password-protected Redis? I simply don't know where to apply it, or if
> it's going to require new code.
>
> Any guidance? I would appreciate it a lot!
>
> Thank you,
>
> Sergio Fernández
>
> PS. I am trying to reduce space for this message and I deleted the
> previous answers.
>
> _______________________________________________
> Users mailing list
> Users at lists.genieacs.com
> http://lists.genieacs.com/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.genieacs.com
> http://lists.genieacs.com/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.genieacs.com/pipermail/users/attachments/20160820/b954f3b4/attachment.html>


More information about the Users mailing list