Investigating a possible Vulnerability
-
Does this mean anything to anyone:
infection => 'vulnDBMS', subtype => 'Redis', protocol => 'tcp', naics => '0', mode => 'standalone', asn => '209', os => 'FreeBSD 10.3-RELEASE-p9 amd64', git_sha1 => '00000000', uptime => '294260', tag => 'redis', build_id => '53c280fa3729bd7e', connected_clients => '2', sector => 'Communications', port => '6379', run_id => '48c662ac258d222adaf44e862284879b80cf8819', gcc_version => '4.2.1', multiplexing_api => 'kqueue', sic => '0', process_id => '97976', sourceSummary => 'Open Redis Server Report', version => '3.0.7', git_dirty_flag => '0'
-
Could you possibly give a little more context? What is this, exactly? Snort? Suricata? pfBlockerNG? The IDS/IPS forum is the place for those packages.
-
Actually it's from a 3rd party (company) who essentially did an audit of our security and this was the only item that was left.
I thought about posting it there but since it wasn't from a pfSense package, I wasn't sure it was relevant. And since the scan came form the WAN, I assumed I should just start here.
-
Are you running a Redis server on tcp port 6379 that you're forwarding to WAN?
-
No. Not that I'm aware of. Realizing this is a broad question 'What could run on a Redis Server'? Honestly I'm not entirely sure what a Redis Server is.
-
Is Google down where you are? ;D
https://en.wikipedia.org/wiki/Redis
We can put this to bed pretty quick. Post a screen of your WAN rules with any public details sanitized. My initial reaction is that it's a false positive of some type from your scanner.
-
redis-3.0.7 Persistent key-value database with built-in net interface
Looks like the ntopng package depends on it.
If the port is open on WAN it's because something is passing the traffic. What are your WAN rules?
-
Its more that you would be running redis on some server behind pfsense. Do you have that port or range of ports open to something behind pfsense? Highly unlikely you would be running redis on pfsense itself..
Do you have something setup as 1:1 nat or anything that your allowing all ports into it?
From that I would take its running version 3.07 of redis.. Which was released back in Jan of this year.. 3.2.4 is the current version.
Or as Derlict mentions some package and you have wan rules misconfigured to be open.. Post up a screenshot of your wan rules - please tell me you don't have a ANY to your wan IP…
edit: Which might be the case looking at your post here.
https://forum.pfsense.org/index.php?topic=119943.msg656740What wan rules do you have??
-
redis is only used by ntopng, and would only be exposed if the WAN rules were really sloppy or if the scanner was on LAN.
Your LAN rules might be too permissive for you environment if the latter case is true. You should be blocking all access to the firewall's LAN interface except for services which must be accessed from LAN, such as DNS, icmp echo, maybe the GUI port and ntopng ports if you don't have a dedicated management network.
