Redis server enforcing AUTH, but was not configured to requirepass

Question

I have a Rails application that uses Redis for background jobs (via Resque). This has all been working fine in development and production (on a VM) for quite some time. Recently, when trying to access the resque-web Sinatra site in production to administer the background tasks, I was met with a Internal Server Error message. Looking at the web server log, I can see that the error is originating from Redis, as it seems to be expecting a password for authentication:

Redis::CommandError - NOAUTH Authentication required

Here's the strange part, my redis conf file (/etc/redis/6379.conf) does not have (and to my knowledge has never had) any authentication enabled (notice both lines are commented out):

...
# If the master is password protected (using the "requirepass" configuration
# directive below) it is possible to tell the slave to authenticate before
# starting the replication synchronization process, otherwise the master will
# refuse the slave request.
#
# masterauth <master-password>
...
# Require clients to issue AUTH <PASSWORD> before processing any other
# commands.  This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#    
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
# 
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared
...

If I try to restart the redis server, it won't let me without a password:

sudo /etc/init.d/redis_6379 restart
Stopping ...
(error) NOAUTH Authentication required.
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...

So my immediate problem is that my Redis server has a password set and I don't know what it is. I need to get it working again.

The second problem is that I have no idea how this password got set. The application is deployed on a DigitalOcean VM. Looking over the redis logs didn't show anything suspicious. I used the recommended SSH and custom port setup to provide a bit of access security, but of course it's never fully secure. This application is a side-project of mine and there is not really any sensitive information at stake. However, I do want to figure out what happened and stop it from happening again.

Answer 1

PROBLEM:

This problem ...

service redis_6379 restart
Stopping ...
(error) NOAUTH Authentication required.
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
[...]

... occurs because the password authentication is configured and the password is not configured at stop/restart.

SOLUTION:

Open the file...

/etc/init.d/redis_6379

... and replace the line...

#!/bin/sh

... with...

#!/bin/bash

... and replace the line...

"$CLIEXEC -p $REDISPORT shutdown"

... with...

# NOTE: We use that workaround because the password authentication is configured, and the pass    word is not configured at restart! By Questor
REQUIREPASS=$(sed -n 's/.*requirepass *  *\([^ ]*.*\)/\1/p' < "$CONF")
IFS=' ' read -r -a MATCH_ARRAY <<< $REQUIREPASS
$CLIEXEC -a "${MATCH_ARRAY[1]}" -p $REDISPORT shutdown

# $CLIEXEC -p $REDISPORT shutdown

Done!

NOTE: Note that the i index in ${MATCH_ARRAY[i]} depends on how you configured the requirepass parameter! That is, how many occurrences of the "requirepass " string exist inside the 6379.conf file and which one interests you!

[Ref.: http://www.cnblogs.com/abclife/p/6179454.html]

Answer 2

The answer here seems to best explained what happened: https://stackoverflow.com/a/34149605/931528

Interesting to note the recent date of that issue as well. It seems that we were all victim to the same security vulnerability. I am now in the process of adding a password to the Redis server and will also block the Redis port on the VM.