How can you disable protected mode in Redis 3.2.6 Sentinel?

redis sentinel redis-sentinel
pestilence669 picture pestilence669 · Mar 30, 2017 · Viewed 14.7k times · Source

I have attempted everything recommended by the following error message:

(error) DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, restart it with the '--protected-mode no' option. 4) Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

My /etc/redis/sentinel.conf:

daemonize yes
sentinel myid XXX
sentinel monitor master XXX 6379 2
sentinel down-after-milliseconds master 60000
sentinel config-epoch master 0
protected-mode no
bind 0.0.0.0
port 26379

EDIT: My /etc/redis/redis.conf:

port 6379
bind 0.0.0.0
protected-mode no

I've also tried adding sentinel auth-pass master XXX.

My entire backend is on private subnets. I'm VPN'd into my datacenter behind the firewall, coming from the same private network, and I can still only connect locally without getting that frustrating error message.

Server Environment: Debian 8, Redis 3.2.6
Client Environment: Ubuntu 16.10, redis-cli 3.2.1
Redis instances: 3
Sentinel instances: 3

I've done not just one, but 3/4 of the things suggested (didn't set the command-line flags). Does anyone have any guidance or ideas? I'm clearly missing something that I've been unable to figure out from the error message, documentation, Stackoverflow, Google, and trial & error. I figured I'd post a question here first, before diving into the source code.

Any help is appreciated. Thanks!

... and, yes, I've restarted the daemons after configuration changes. :)

Answer

Allen picture Allen · Jul 16, 2017

https://www.reddit.com/r/redis/comments/3zv85m/new_security_feature_redis_protected_mode/

As you know we got several problems from unprotected Redis instances exposed to the internet. I covered the reason why a restrictive binding to 127.0.0.1 by default may be an usability concern and, even worse, may not fix the problem (hey just comment the "bind" statement and restart!) in my blog post.

The same blog post introduced an attack that was heavily used by script kiddies to break into Redis instances (serious security researchers where already able to do this, I guess).

So I finally decided to do something before Redis 3.2 official release: Protected mode is the result and will be merged into 3.2 RC2.

The feature is already available in the unstable branch, introduced by this commit. This is how it works.

If and only if: Protected mode is enabled (this is the default both in the configuration file and in the configless default).

AND IF No AUTH password is configured.

AND IF No "bind" directive is used in order to restrict Redis to certain interfaces.

Then Redis only accepts connections from the loopback IPv4 and IPv6 addresses. External connections are accepted just for the time to send the client an error that makes the user aware of what is happening:

> PING

(error) DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients.

In this mode connections are only accepted from the lookback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions:

  1. Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent.

  2. Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server.

  3. If you started the server manually just for testing, restart it with the --protected-mode no option.

  4. Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

This should protect errors in a reasonable way while providing users with a clue instead of a connection refused. Please share your feedbacks so that we can make changes to this feature if needed, before it will get merged into Redis 3.2 RC2. Thanks.

Related questions

How to setup a connection to Redis Sentinel using Jedis library?

How do I setup a connection to a Redis Sentinel server/cluster using the Jedis library?

Read More
How do I run Redis on Windows?

How do I run Redis on Windows? The Redis download page just seems to offer *nix options. Can I run Redis natively on Windows?

Read More
Memcached vs. Redis?

We're using a Ruby web-app with Redis server for caching. Is there a point to test Memcached instead? What will give us better performance? Any pros or cons between Redis and Memcached? Points to consider: Read/write speed. Memory usage. …

Read More