How can you disable protected mode in Redis 3.2.6 Sentinel?
Asked Answered
G

2

12

I have attempted everything recommended by the following error message:

(error) DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, restart it with the '--protected-mode no' option. 4) Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

My /etc/redis/sentinel.conf:

daemonize yes
sentinel myid XXX
sentinel monitor master XXX 6379 2
sentinel down-after-milliseconds master 60000
sentinel config-epoch master 0
protected-mode no
bind 0.0.0.0
port 26379

EDIT: My /etc/redis/redis.conf:

port 6379
bind 0.0.0.0
protected-mode no

I've also tried adding sentinel auth-pass master XXX.

My entire backend is on private subnets. I'm VPN'd into my datacenter behind the firewall, coming from the same private network, and I can still only connect locally without getting that frustrating error message.

Server Environment: Debian 8, Redis 3.2.6
Client Environment: Ubuntu 16.10, redis-cli 3.2.1
Redis instances: 3
Sentinel instances: 3

I've done not just one, but 3/4 of the things suggested (didn't set the command-line flags). Does anyone have any guidance or ideas? I'm clearly missing something that I've been unable to figure out from the error message, documentation, Stackoverflow, Google, and trial & error. I figured I'd post a question here first, before diving into the source code.

Any help is appreciated. Thanks!

... and, yes, I've restarted the daemons after configuration changes. :)

Gift answered 30/3, 2017 at 2:39 Comment(1)
did you fix that? I'm running into the same issue :-/Lamellar
S
4

https://www.reddit.com/r/redis/comments/3zv85m/new_security_feature_redis_protected_mode/

As you know we got several problems from unprotected Redis instances exposed to the internet. I covered the reason why a restrictive binding to 127.0.0.1 by default may be an usability concern and, even worse, may not fix the problem (hey just comment the "bind" statement and restart!) in my blog post.

The same blog post introduced an attack that was heavily used by script kiddies to break into Redis instances (serious security researchers where already able to do this, I guess).

So I finally decided to do something before Redis 3.2 official release: Protected mode is the result and will be merged into 3.2 RC2.

The feature is already available in the unstable branch, introduced by this commit. This is how it works.

If and only if: Protected mode is enabled (this is the default both in the configuration file and in the configless default).

AND IF No AUTH password is configured.

AND IF No "bind" directive is used in order to restrict Redis to certain interfaces.

Then Redis only accepts connections from the loopback IPv4 and IPv6 addresses. External connections are accepted just for the time to send the client an error that makes the user aware of what is happening:

> PING

(error) DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients.

In this mode connections are only accepted from the lookback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions:

  1. Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent.

  2. Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server.

  3. If you started the server manually just for testing, restart it with the --protected-mode no option.

  4. Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

This should protect errors in a reasonable way while providing users with a clue instead of a connection refused. Please share your feedbacks so that we can make changes to this feature if needed, before it will get merged into Redis 3.2 RC2. Thanks.

Stigmasterol answered 16/7, 2017 at 5:40 Comment(0)
K
1

For redis-stack 7.x.

Find the location of config_file

$ redis-cli info | grep config_file
config_file:/etc/redis-stack.conf

then add line protected-mode no to the config file e.g.

port 6379
protected-mode no
daemonize no

Then restart the server

sudo systemctl restart redis-stack-server
Kramer answered 21/10, 2023 at 5:2 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.