Redis security password

[Richard]

Hello,

Should we leave mention about redis security and how to set password??

Here https://github.com/web2py/web2py/blob/master/gluon/contrib/redis_cache.py#L39 or in the book...

# Redis Server need Administrative password to avoid hacking by Linux.lady and Linux.Download.196 trojan

# Ref.: http://news.softpedia.com/news/linux-trojan-mines-for-cryptocurrency-using-misconfigured-redis-database-servers-507115.shtml

# Ref.: https://www.riskbasedsecurity.com/2016/07/redis-over-6000-installations-compromised/

# Ref.: http://www.tutorialspoint.com/redis/redis_security.htm

# NOTE: We can't set password from redis-cli because it get overrided by redis.conf

sed -i 's/# requirepass foobared/requirepass "${REDISPASSWORD}"/g' /etc/redis/redis.conf

service redis-server restart

Richard

[Niphlod]

"should we leave mention that every site should be serverd only through https only and that sensitive data should be protected by some kind of authentication system" ?

my redis instance listens only on localhost. and that's the way it's supposed to be. 

IMHO comments on the sourcecode will be never read by who is so stupid to publish its redis instance over the net.

[Massimo DiPierro]

LOL

--
-- mail from:GoogleGroups "web2py-developers" mailing list
make speech: web2py-developers@googlegroups.com
unsubscribe: web2py-developers+unsubscribe@googlegroups.com
details : http://groups.google.com/group/web2py-developers
the project: http://code.google.com/p/web2py/
official : http://www.web2py.com/
---
You received this message because you are subscribed to the Google Groups "web2py-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Richard Vézina]

6000 deployment over 30000

[Richard Vézina]

I guess this should should be manage at installation by package manager... 

And actually we are talking many time about https in the book...

It just kind to act a reminder as there is a exploit and because package is not properly configured to me.

Richard

[Niphlod]

mmmmhhhhh .... http://download.redis.io/redis-stable/redis.conf , line 61. it's perfectly fine.

6000 deployment over 30000

LOL

make speech: web2py-d...@googlegroups.com
unsubscribe: web2py-develop...@googlegroups.com

details : http://groups.google.com/group/web2py-developers
the project: http://code.google.com/p/web2py/
official : http://www.web2py.com/
---
You received this message because you are subscribed to the Google Groups "web2py-developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to web2py-develop...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
-- mail from:GoogleGroups "web2py-developers" mailing list

make speech: web2py-d...@googlegroups.com
unsubscribe: web2py-develop...@googlegroups.com

details : http://groups.google.com/group/web2py-developers
the project: http://code.google.com/p/web2py/
official : http://www.web2py.com/
---
You received this message because you are subscribed to the Google Groups "web2py-developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to web2py-develop...@googlegroups.com.