From 3bfd976a611a29585c93f5183458cc40f7280c06 Mon Sep 17 00:00:00 2001 From: Henrik Hautakoski Date: Tue, 18 Jul 2023 05:20:02 +0200 Subject: [PATCH] Adding Redis Security --- .vitepress/config.ts | 11 +++- docs/redis/security/acl.md | 113 +++++++++++++++++++++++++++++++++++ docs/redis/security/index.md | 44 ++++++++++++++ 3 files changed, 167 insertions(+), 1 deletion(-) create mode 100644 docs/redis/security/acl.md create mode 100644 docs/redis/security/index.md diff --git a/.vitepress/config.ts b/.vitepress/config.ts index 89ff149..111c4cc 100644 --- a/.vitepress/config.ts +++ b/.vitepress/config.ts @@ -41,7 +41,16 @@ export default defineConfig({ }, { text: 'Configuration', - link: '/docs/configuration' + link: '/docs/configuration', + items: [ + { + text: "Securing redis", + link: '/docs/redis/security/', + items: [ + { text: "ACL", link: '/docs/redis/security/acl' }, + ] + }, + ] } ] }, diff --git a/docs/redis/security/acl.md b/docs/redis/security/acl.md new file mode 100644 index 0000000..42ebb00 --- /dev/null +++ b/docs/redis/security/acl.md @@ -0,0 +1,113 @@ +# ACL + +By default, Redis does not impose any restrictions on the commands that clients can execute. This lack of +restrictions raises security concerns, especially when dealing with clients that may not be fully trusted. +However, there is no need to worry as Redis offers a solution in the form of [Access Control Lists (ACL)](https://en.wikipedia.org/wiki/Access-control_list). + +ACL in Redis enables the establishment of limited access for connections to the server, specifying which +commands they are allowed to execute. In Thalos, this feature is crucial for maintaining security, ensuring +that clients can only access specific channels within Thalos. + +The special account called `default` serves as the default account for unauthorized users, provided it is +configured with a password. Connections can authenticate against this account without specifying a username. +Thalos utilizes this account as the default user account. + +Additionally, it is advisable to restrict the Thalos server account as an added precaution against any unauthorized actions it may inadvertently perform, although such occurrences are highly unlikely. + +The ACL in thalos is simple and uses 2 accounts: + +* `default` account (user account, used by clients. only allowed to read from thalos specific channels) +* `thalos-server` account (is allowed to publish to channels and also write to it's cache) + +there is also the `admin` account that is use for redis mangement. has access to everything. + +::: danger IMPORTANT +Make sure you replace the passwords with a secure ones. + +It is recommended to use [ACL GENPASS](https://redis.io/commands/acl-genpass) to generate strong passwords. +::: + +`redis.conf` + +``` +user default on >client_password resetchannels &ship::* +@connection +subscribe +user admin on >admin_password ~* &* +@all +user thalos on >server_password resetchannels &ship::* ~thalos::* +@connection +@read +@write +publish + +``` + +## External file + +It is possible to use external config files to define users in redis. + +Just place the configuration above in an external file for example: `/etc/redis/users.acl` and then add this in `/etc/redis/redis.conf` + +``` +aclfile /etc/redis/users.acl +``` + +## Thalos tools + +There is also a tool to create the config lines for you. + +```sh +$ thalos-tools redis-acl + +# Created by thalos-tools on Thu Jul 13 08:06:37 CEST 2023 +user default off +user admin on SUBSCRIBE some_channel +Reading messages... (press Ctrl-C to quit) +(error) NOPERM this user has no permissions to access one of the channels used as arguments +127.0.0.1:6379> SET random_key value +(error) NOPERM this user has no permissions to run the 'set' command or its subcommand +127.0.0.1:6379> SUBSCRIBE ship::1234 +Reading messages... (press Ctrl-C to quit) +1) "subscribe" +2) "ship::1234" +3) (integer) 1 + +``` + +## Thalos config + +After you have setup ACL, make sure to update your `config.yml` with the account and password. + +```yaml +redis: + user: thalos + password: p4ssw0rd +``` + +## Other ACL Configurations + +### No user password + +While not recommended, it is possible to have the default (user) account without password. that way the user does not need to authenticate (but still has limited access). just remove the password from `user default` line: + +``` +user default on resetchannels &ship::* +@connection +subscribe +``` + +### Thalos users with a different account + +It is also possible to provide a different account for users + +``` +user thalos-client on >client_password resetchannels &ship::* +@connection +subscribe +``` + +## Useful links + +* [Config File Example](https://redis.io/docs/management/config-file) +* [Official ACL Documentation](https://redis.io/docs/management/security/acl) \ No newline at end of file diff --git a/docs/redis/security/index.md b/docs/redis/security/index.md new file mode 100644 index 0000000..cb64fa6 --- /dev/null +++ b/docs/redis/security/index.md @@ -0,0 +1,44 @@ + +# Securing redis + +This documentation primarily focuses on setups where Redis is exposed to the internet or an internal network where there is not complete control over the clients. For example, you may want to grant access to your Thalos instance to a friend. While trusting your friend is reasonable, it is essential to consider potential future scenarios where trust may no longer exist or their server could be compromised. + +If you intend to run Thalos for internal use only, such as having internal applications that are relying on a blockchain stream, it is perfectly acceptable to skip these steps if you have complete control over all involved servers and do not expose the instance over a public IP. + +## Isolating redis + +To ensure security, it is highly recommended to run Thalos on a dedicated Redis instance, ideally within a +container or virtual machine. +This isolation helps prevent data leaks in case of misconfigured Redis ACLs or unauthorized access to the +admin password. +Additionally, it safeguards against potential misconfigurations, such as other applications mistakenly +writing sensitive data to Redis channels that can be accessed by Thalos clients. + +In summary, isolating Thalos in its own Redis instance provides an extra layer of safety. + +## Network + +The `bind` directive in `redis.conf` is used to tell redis what network interfaces it should bind to. +Make sure to update this with the interfaces you intend to use. + +::: danger IMPORTANT +Although it is recommended to limit Redis to the localhost interface for security purposes, with proper +firewall and ACL configurations, it can be safely exposed to additional interfaces. Carefully evaluate the necessity of +external access before making the change in the config file. +::: + +``` +bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses +bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6 +bind * -::* # like the default, all available interfaces +``` + +## Firewall + +Make sure you setup your firewall rules correctly. only allowing the ip's you trust to access the redis port. +This is out of scope of this documentation. consult your operating system or router manuals. + +## Useful links + +* [Official Security Documentation](https://redis.io/docs/management/security) +* [Config File Example](https://redis.io/docs/management/config-file)