<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi! Thank you for your answer.<br>
<br>
Using netstat shows as binded to loopback interface, 127.0.0.1.
This is normal, redis is running in protected mode.<br>
<br>
I tried to nmap to the port 6379 from another server, and,
surprisingly, I found the port is open.<br>
This is the output:<br>
<br>
<b>Command</b>: nmap -p 6379 -T4 -A -v my.server.ip<br>
<br>
<font size="-1"><i>Starting Nmap 7.12SVN ( <a class="moz-txt-link-freetext" href="https://nmap.org">https://nmap.org</a> ) at
2016-08-20 00:01 CEST</i><i><br>
</i><i>NSE: Loaded 138 scripts for scanning.</i><i><br>
</i><i>NSE: Script Pre-scanning.</i><i><br>
</i><i>Initiating NSE at 00:01</i><i><br>
</i><i>Completed NSE at 00:01, 0.00s elapsed</i><i><br>
</i><i>Initiating NSE at 00:01</i><i><br>
</i><i>Completed NSE at 00:01, 0.00s elapsed</i><i><br>
</i><i>Initiating Ping Scan at 00:01</i><i><br>
</i><i>Scanning XXXXXXXXXXX [2 ports]</i><i><br>
</i><i>Completed Ping Scan at 00:01, 0.09s elapsed (1 total
hosts)</i><i><br>
</i><i>Initiating Parallel DNS resolution of 1 host. at 00:01</i><i><br>
</i><i>Completed Parallel DNS resolution of 1 host. at 00:01,
0.02s elapsed</i><i><br>
</i><i>Initiating Connect Scan at 00:01</i><i><br>
</i><i>Scanning XXXXXXXXXXXX [1 port]</i><i><br>
</i><i>Discovered open port 6379/tcp on XXXXXXXXXX</i><i><br>
</i><i>Completed Connect Scan at 00:01, 0.08s elapsed (1 total
ports)</i><i><br>
</i><i>Initiating Service scan at 00:01</i><i><br>
</i><i>Scanning 1 service on XXXXXXXXXXXX</i><i><br>
</i><i>Completed Service scan at 00:02, 16.34s elapsed (1
service on 1 host)</i><i><br>
</i><i>NSE: Script scanning XXXXXXXXXXX.</i><i><br>
</i><i>Initiating NSE at 00:02</i><i><br>
</i><i>Completed NSE at 00:02, 0.08s elapsed</i><i><br>
</i><i>Initiating NSE at 00:02</i><i><br>
</i><i>Completed NSE at 00:02, 0.00s elapsed</i><i><br>
</i><i>Nmap scan report for XXXXXXXXXXXXXX</i><i><br>
</i><i>Host is up (0.087s latency).</i><i><br>
</i><i>PORT STATE SERVICE VERSION</i><i><br>
</i><i>6379/tcp open redis Redis key-value store</i><i><br>
</i><i><br>
</i><i>NSE: Script Post-scanning.</i><i><br>
</i><i>Initiating NSE at 00:02</i><i><br>
</i><i>Completed NSE at 00:02, 0.00s elapsed</i><i><br>
</i><i>Initiating NSE at 00:02</i><i><br>
</i><i>Completed NSE at 00:02, 0.00s elapsed</i><i><br>
</i><i>Read data files from: /usr/local/bin/../share/nmap</i><i><br>
</i><i>Service detection performed. Please report any incorrect
results at <a class="moz-txt-link-freetext" href="https://nmap.org/submit/">https://nmap.org/submit/</a> .</i><i><br>
</i><i>Nmap done: 1 IP address (1 host up) scanned in 17.11
seconds</i></font><br>
<br>
</p>
<br>
<div class="moz-cite-prefix">El 17/08/16 a las 13:23, h0rst
escribió:<br>
</div>
<blockquote
cite="mid:1124156342.22155.1471433021161.JavaMail.zimbra@dumont.localh0rst.de"
type="cite">
<pre wrap="">Hi there!
Did u actually verify (i.e using netstat) that your redis instance is only listening
on localhost and not on any other interface/ip? Are you sure that the mentioned config
file is really used by redis?
I mean, it would be pretty difficult for a remote attacker to exploit any service
running on localhost ;)
Kind regards,
Sebastian
----- Original Message -----
From: "Sergio" <a class="moz-txt-link-rfc2396E" href="mailto:sergio.fernandez@electronicamartinez.com"><sergio.fernandez@electronicamartinez.com></a>
To: "Community support for GenieACS users" <a class="moz-txt-link-rfc2396E" href="mailto:users@lists.genieacs.com"><users@lists.genieacs.com></a>
Sent: Friday, August 12, 2016 1:51:22 PM
Subject: Re: Are you suffering attacks to your servers?
Good morning! Thank you for your answers, Dan and Manny.
The variants that you both have told me are great, but in our service,
we can't restrict via IP or VLAN. On the other hand, we will implement
in the near future the "only allow HTTP POSTs".
I have been reading Slashdot this morning. And, to my surprise, I read
this article:
<a class="moz-txt-link-freetext" href="https://linux.slashdot.org/story/16/08/10/237230/linux-trojan-mines-for-cryptocurrency-using-misconfigured-redis-servers">https://linux.slashdot.org/story/16/08/10/237230/linux-trojan-mines-for-cryptocurrency-using-misconfigured-redis-servers</a>
This was the exact thing that happened to me, as I described below. So I
started to search how could I protect myself of this problems. So I
found this page <a class="moz-txt-link-freetext" href="http://redis.io/topics/security">http://redis.io/topics/security</a> that tell us to bind the
Redis listening IP to the loopback interface.
So I searched for the /etc/redis/redis.conf file and it was already set.
So the next step is to configure a password. But here the problem
arises. I will be following this guide
<a class="moz-txt-link-freetext" href="https://www.digitalocean.com/community/tutorials/how-to-secure-your-redis-installation-on-ubuntu-14-04">https://www.digitalocean.com/community/tutorials/how-to-secure-your-redis-installation-on-ubuntu-14-04</a>
But the problem is, how can I configure GenieACS to work with a
password-protected Redis? I simply don't know where to apply it, or if
it's going to require new code.
Any guidance? I would appreciate it a lot!
Thank you,
Sergio Fernández
PS. I am trying to reduce space for this message and I deleted the
previous answers.
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.genieacs.com">Users@lists.genieacs.com</a>
<a class="moz-txt-link-freetext" href="http://lists.genieacs.com/mailman/listinfo/users">http://lists.genieacs.com/mailman/listinfo/users</a>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.genieacs.com">Users@lists.genieacs.com</a>
<a class="moz-txt-link-freetext" href="http://lists.genieacs.com/mailman/listinfo/users">http://lists.genieacs.com/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>