I have a Rails application that uses Redis for background jobs (via Resque). This has all been working fine in development and production (on a VM) for quite some time. Recently, when trying to access the resque-web Sinatra site in production to administer the background tasks, I was met with a Internal Server Error message. Looking at the web server log, I can see that the error is originating from Redis, as it seems to be expecting a password for authentication:
Redis::CommandError - NOAUTH Authentication required
Here's the strange part, my redis conf file (/etc/redis/6379.conf) does not have (and to my knowledge has never had) any authentication enabled (notice both lines are commented out):
...
# If the master is password protected (using the "requirepass" configuration
# directive below) it is possible to tell the slave to authenticate before
# starting the replication synchronization process, otherwise the master will
# refuse the slave request.
#
# masterauth <master-password>
...
# Require clients to issue AUTH <PASSWORD> before processing any other
# commands. This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared
...
If I try to restart the redis server, it won't let me without a password:
sudo /etc/init.d/redis_6379 restart
Stopping ...
(error) NOAUTH Authentication required.
Waiting for Redis to shutdown ...
Waiting for Redis to shutdown ...
So my immediate problem is that my Redis server has a password set and I don't know what it is. I need to get it working again.
The second problem is that I have no idea how this password got set. The application is deployed on a DigitalOcean VM. Looking over the redis logs didn't show anything suspicious. I used the recommended SSH and custom port setup to provide a bit of access security, but of course it's never fully secure. This application is a side-project of mine and there is not really any sensitive information at stake. However, I do want to figure out what happened and stop it from happening again.
The answer here seems to best explained what happened: https://stackoverflow.com/a/34149605/931528
Interesting to note the recent date of that issue as well. It seems that we were all victim to the same security vulnerability. I am now in the process of adding a password to the Redis server and will also block the Redis port on the VM.