Testing Redis Password and TLS Protection
Article ID: 399915
Updated On:
Products
Carbon Black EDR
Issue/Introduction
How to test the Redis password and SSL protection
Environment
- Carbon Black EDR: 7.5.1 and higher
Resolution
- Testing the protections.
- redis-cli will appear "connected", if TLS is enabled correctly this will respond with "Error: Connection reset by peer"
# redis-cli -p 6379 127.0.0.1:6379> PING Error: Connection reset by peer not connected> - redis-cli with the certificates and tls flag will connect, however if RedisUsePassword is True, you will receive a "NOAUTH Authentication Required"
# redis-cli -p 6379 --tls --cert /etc/cb/certs/cb-redis.crt --key /etc/cb/certs/cb-redis.key --cacert /etc/cb/certs/cb-redis-ca.crt ##.###.##.##:6379> PING (error) NOAUTH Authentication required.
- redis-cli will appear "connected", if TLS is enabled correctly this will respond with "Error: Connection reset by peer"
- Testing access with both TLS and Password protection access.
- Running PING within the redis-cli should return PONG if successfully set.
# redis-cli --askpass --tls --cert /etc/cb/certs/cb-redis.crt --key /etc/cb/certs/cb-redis.key --cacert /etc/cb/certs/cb-redis-ca.crt localhost:6379[1]> PING PONG
- Running PING within the redis-cli should return PONG if successfully set.
Additional Information
- Can the Redis Database be configured to use a password?
- Redis port 6379 should only be accessible to localhost and between minion nodes (for clustered).
- What Ports Should Be Open For EDR to Inbound Communication?
- To check for EDR suggested local firewall rules
/usr/share/cb/cbcheck firewall -L
- Exposing these ports to outside communication can cause vulnerability scanners to flag the Redis service.
Feedback
Yes
No
Powered by
