Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Investigating a possible Vulnerability

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 5 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dbennett
      last edited by

      Does this mean anything to anyone:

      infection => 'vulnDBMS', subtype => 'Redis', protocol => 'tcp', naics => '0', mode => 'standalone', asn => '209', os => 'FreeBSD 10.3-RELEASE-p9 amd64', git_sha1 => '00000000', uptime => '294260', tag => 'redis', build_id => '53c280fa3729bd7e', connected_clients => '2', sector => 'Communications', port => '6379', run_id => '48c662ac258d222adaf44e862284879b80cf8819', gcc_version => '4.2.1', multiplexing_api => 'kqueue', sic => '0', process_id => '97976', sourceSummary => 'Open Redis Server Report', version => '3.0.7', git_dirty_flag => '0'

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Could you possibly give a little more context?  What is this, exactly?  Snort?  Suricata?  pfBlockerNG?  The IDS/IPS forum is the place for those packages.

        1 Reply Last reply Reply Quote 0
        • D
          dbennett
          last edited by

          Actually it's from a 3rd party (company) who essentially did an audit of our security and this was the only item that was left.

          I thought about posting it there but since it wasn't from a pfSense package, I wasn't sure it was relevant.  And since the scan came form the WAN, I assumed I should just start here.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Are you running a Redis server on tcp port 6379 that you're forwarding to WAN?

            1 Reply Last reply Reply Quote 0
            • D
              dbennett
              last edited by

              No. Not that I'm aware of.  Realizing this is a broad question 'What could run on a Redis Server'?  Honestly I'm not entirely sure what a Redis Server is.

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Is Google down where you are?  ;D

                https://en.wikipedia.org/wiki/Redis

                We can put this to bed pretty quick.  Post a screen of your WAN rules with any public details sanitized.  My initial reaction is that it's a false positive of some type from your scanner.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  redis-3.0.7                    Persistent key-value database with built-in net interface

                  Looks like the ntopng package depends on it.

                  If the port is open on WAN it's because something is passing the traffic. What are your WAN rules?

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Its more that you would be running redis on some server behind pfsense.  Do you have that port or range of ports open to something behind pfsense?  Highly unlikely you would be running redis on pfsense itself..

                    Do you have something setup as 1:1 nat or anything that your allowing all ports into it?

                    From that I would take its running version 3.07 of redis.. Which was released back in Jan of this year.. 3.2.4 is the current version.

                    Or as Derlict mentions some package and you have wan rules misconfigured to be open..  Post up a screenshot of your wan rules - please tell me you don't have a ANY to your wan IP…

                    edit:  Which might be the case looking at your post here.
                    https://forum.pfsense.org/index.php?topic=119943.msg656740

                    What wan rules do you have??

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      redis is only used by ntopng, and would only be exposed if the WAN rules were really sloppy or if the scanner was on LAN.

                      Your LAN rules might be too permissive for you environment if the latter case is true. You should be blocking all access to the firewall's LAN interface except for services which must be accessed from LAN, such as DNS, icmp echo, maybe the GUI port and ntopng ports if you don't have a dedicated management network.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.