一、redis安全加固
1、设置可靠的密码。
redis提供了requiredpass配置为redis提供密码功能,配置后需要提供密码才可以访问到redis,在一定程度上可以保证安全。
- 设置足够复杂的密码,建议在64字节以上,同时密码尽可能复杂,建议包涵大小写,数字,特殊字符,避免暴力破解。
- 主从架构,再从节点上配置masterauth,避免同步失败
- auth为明文传输,所以还是有一定危险的。
2、rename危险命令
redis中有很多危险的命令,错误使用会导致严重问题。
- keys:若键值对过多,会阻塞redis
- flushall和flushdb:清空数据。
- save:若键值对过多,会阻塞redis
- debug:debug reload可以重启redis
- config:高度危险
- shutdown:停止redis
3、防火墙
通过防火墙限制通过外网访问redis
4、bind
指定redis使用的网卡。这个必须使用 127.0.0.1和内网网卡(可通过ipconfig查到)
5、修改默认端口
一定不要使用默认端口,建议同时通过安全组,封掉该端口公网访问权限。
6、非root启动
一定要进行降权!!!
二、bigkey的危害及处理方案
1、什么是bigkey
在redis中,数据类型有如下几种:string、hash、list、set、zset,其中string值不可超过512MB,hash、list、set、zset的元素数量不可超过(2^32-1)个。那么当单个string过大,比如超过10k,或者是hash、list、set、zset元素数量过多,均可以被认为是bigkey
2、bigkey的危害
- 对于redis-cluster集群来说,bigkey会导致内存分配不均
- 阻塞导致超时
3、定位bigkey
1、redis-cli —bigkeys
该命令可以查询到每个类型top 1的bigkey,每个数据类型键值个数,以及平均大小,但是此命令是通过scan实现,所以建议在本节点(从节点为最佳),避免阻塞以及不必要的网络开销。但是此命令只可以查出每个类型的top 1,所以在定位问题时,针对多bigkey的现象,定位起来会比较麻烦
redis@localhost:~$ redis-cli
127.0.0.1:6379> set a "mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10"
OK
127.0.0.1:6379> get a
"mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10"
127.0.0.1:6379> exit
redis@localhost:~$ redis-cli --bigkeys
# Scanning the entire keyspace to find biggest keys as well as
# average sizes per key type. You can use -i 0.1 to sleep 0.1 sec
# per 100 SCAN commands (not usually needed).
[00.00%] Biggest string found so far 'a' with 2700 bytes
-------- summary -------
Sampled 3 keys in the keyspace!
Total key length in bytes is 9 (avg len 3.00)
Biggest string found 'a' has 2700 bytes
0 lists with 0 items (00.00% of keys, avg size 0.00)
0 hashs with 0 fields (00.00% of keys, avg size 0.00)
3 strings with 3655 bytes (100.00% of keys, avg size 1218.33)
0 streams with 0 entries (00.00% of keys, avg size 0.00)
0 sets with 0 members (00.00% of keys, avg size 0.00)
0 zsets with 0 members (00.00% of keys, avg size 0.00)