0 Replies Latest reply on Jan 23, 2017 4:09 PM by CurtisR

    caution: redis default config (Linux.Lady)

    CurtisR

      Hey everyone, I wanted to inform you all of a potential security risk I just ran into. My company has designed a product based on the intel edison and have been field testing our devices.  In our device we install some cron jobs that monitor/maintain some critical system processes. A while back I noticed that some of these processes were being stopped in a few of our remote devices. It appeared there was another process that was overwriting our crontabs and installing malicious scripts. Long story short, I isolated the problem to the default config of redis. Apparently misconfigured redis servers can be accessed remotely and allow for files to be read/written. A few things about Redis security - <antirez> . One instance of malicious attack was a crontab change that generated some ssh keys. Another instance was the installation of the Linux.Lady trojan, which basically turns the edison into a bit coin miner that can be spread throughout a network. I have altered the file at /etc/redis/redis.conf to fix the redis backdoor. I uncommented "bind 127.0.0.1" and uncommented "requirepass XXXXXX", which requires a password and blocks all remote connections to the server. This has fixed the problem for us, and we got so many requests on the redis port I would recommend anyone connecting to the internet and using the cron package to make the changes I did. Just wanted to give you guys a heads up and a reminder to pay attention to security.

       

      Also, does anyone know if there are any processes that require the redis db? I may just remove the package from my yocto build.

       

      Thanks,

      Curtis