
Clarifications on the Incapsula Redis security report - bjerun
http://antirez.com/news/118
======
gomox
It seemed strange to me that the protected mode text warning gives a long
winded explanation on 3 ways to disable protected mode first, and leaves the
most desireable (change the bind address or password) option for last with a
much more brief and less helpful explanation.

I would have done a long detailed explanation on bind addr/password, and a
"you can also disable protected mode by looking up how to do it on XXXXX" at
the end.

Based on my experience with product design decisions, that detail right there
probably had a huge impact on the actual adoption of the desired choice.

~~~
antirez
I agree, thanks for the suggestion.

~~~
gomox
Thanks to you, for the awesome software!

------
jamiesonbecker
I love Redis, and antirez is a genius. The simple solution is usually the most
secure: Redis should just bind to _localhost_ by default, unless it's
specifically told to bind to other interfaces.

------
mirceal
I think while it’s bad to have people thinking that Redis has “security”
issues, no matter what you do people will find ways to work around it.

I personally would like to see Redis focus on what it’s best for and not add
additional “features” for the purpose of PR.

Redis is an awesome piece of software, but at the end of the day, the user of
the software is responsible for using it properly.

------
twic
Surely the real WTF here is that Redis allows unauthenticated connections over
the network at all?

I appreciate that it's too late to go back and change this, as it would break
existing installations on upgrade, but perhaps it's worth pointing that out
for the benefit of future server developers.

If you want to make things easy for initial setup, you could allow
unauthenticated connections over UNIX domain sockets, and/or the loopback
interface. And perhaps only if there is no password configured?

If you want to really make it hard for users to screw up, how about requiring
the admin to configure a password for remote access, but also generating some
random secret on installation or first boot, and requiring both for
authentication. Then, even a weak password doesn't make it easy for a remote
attacker to gain access.

~~~
antirez
Hello twic, since version 4 Redis by default does not accept connections that
are not originating from localhost. Yet we have still problems! Please read
the blog post for the exact details about why sane defaults were not enough.

~~~
snowwolf
I think the point the parent is trying to make is why allow options 1-3
(disable protected mode) at all? Why not require only option 4 to accept non
localhost connections?

Although that doesn’t stop someone setting up an install script with a
“default” password that becomes known.

~~~
awinder
Taking a cursory glance you can find a lot of articles on — exposed MySQL /
Postgres servers being infected when they run with weak / default passwords.
Exposing your db servers beyond the private network is the problem, kudos for
trying to support people, but trying to secure open dbs on the net will always
be a cat & mouse game.

