一、redis安全加固

1、设置可靠的密码。

redis提供了requiredpass配置为redis提供密码功能,配置后需要提供密码才可以访问到redis,在一定程度上可以保证安全。

  • 设置足够复杂的密码,建议在64字节以上,同时密码尽可能复杂,建议包涵大小写,数字,特殊字符,避免暴力破解。
  • 主从架构,再从节点上配置masterauth,避免同步失败
  • auth为明文传输,所以还是有一定危险的。

2、rename危险命令

redis中有很多危险的命令,错误使用会导致严重问题。

  • keys:若键值对过多,会阻塞redis
  • flushall和flushdb:清空数据。
  • save:若键值对过多,会阻塞redis
  • debug:debug reload可以重启redis
  • config:高度危险
  • shutdown:停止redis

3、防火墙

通过防火墙限制通过外网访问redis

4、bind

指定redis使用的网卡。这个必须使用 127.0.0.1和内网网卡(可通过ipconfig查到)

5、修改默认端口

一定不要使用默认端口,建议同时通过安全组,封掉该端口公网访问权限。

6、非root启动

一定要进行降权!!!

二、bigkey的危害及处理方案

1、什么是bigkey

在redis中,数据类型有如下几种:string、hash、list、set、zset,其中string值不可超过512MB,hash、list、set、zset的元素数量不可超过(2^32-1)个。那么当单个string过大,比如超过10k,或者是hash、list、set、zset元素数量过多,均可以被认为是bigkey

2、bigkey的危害

  • 对于redis-cluster集群来说,bigkey会导致内存分配不均
  • 阻塞导致超时

3、定位bigkey

1、redis-cli —bigkeys

该命令可以查询到每个类型top 1的bigkey,每个数据类型键值个数,以及平均大小,但是此命令是通过scan实现,所以建议在本节点(从节点为最佳),避免阻塞以及不必要的网络开销。但是此命令只可以查出每个类型的top 1,所以在定位问题时,针对多bigkey的现象,定位起来会比较麻烦

  1. redis@localhost:~$ redis-cli
  2. 127.0.0.1:6379> set a "mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10"
  3. OK
  4. 127.0.0.1:6379> get a
  5. "mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10mpobject7800createupdaterawPythonEmpobjectsfilterdeptno20updatesalFsal1000011UPDATETbEmpSETsalTbEmpsal100WHERETbEmpdno20args10020EmpobjectsrawselectempnoenamejobfromTbEmpwheredno10"
  6. 127.0.0.1:6379> exit
  7. redis@localhost:~$ redis-cli --bigkeys
  9. # Scanning the entire keyspace to find biggest keys as well as
  10. # average sizes per key type.  You can use -i 0.1 to sleep 0.1 sec
  11. # per 100 SCAN commands (not usually needed).
  13. [00.00%] Biggest string found so far 'a' with 2700 bytes
  15. -------- summary -------
  17. Sampled 3 keys in the keyspace!
  18. Total key length in bytes is 9 (avg len 3.00)
  20. Biggest string found 'a' has 2700 bytes
  22. 0 lists with 0 items (00.00% of keys, avg size 0.00)
  23. 0 hashs with 0 fields (00.00% of keys, avg size 0.00)
  24. 3 strings with 3655 bytes (100.00% of keys, avg size 1218.33)
  25. 0 streams with 0 entries (00.00% of keys, avg size 0.00)
  26. 0 sets with 0 members (00.00% of keys, avg size 0.00)
  27. 0 zsets with 0 members (00.00% of keys, avg size 0.00)

2、

3、处理bigkey

1、删除bigkey