1. 24
  1. 17

    “Oh how I dearly wished software shipped with secure defaults!” should be added to the list of lessons learned.

    Previous lobsters discussion about the heavy burden of secure defaults: https://lobste.rs/s/nftjvi/a_few_things_about_redis_security

    1. 11

      Regarding the previous discussion. I commented on it a month ago that there were 15.617 publicly accessible redis instances listed by Shodan. Guess what? Blogging about the issue didn’t help people, there are now 16,344 instances listed by Shodan and we are also now aware that there are automated bots exploiting the disclosed issue.

    2. 3

      A. Why was Redis running as root? B. Why wasn’t AppArmor/SELinux enabled? C. Why wasn’t the firewall configured to restrict Redis / SSH connections.

      I can go on and on.

      1. 9

        B. Why wasn’t AppArmor/SELinux enabled?

        Because the first step of every Linux guide for anything ever is “Disable SELinux.”

        1. 2

          Is that the case for AppArmor too? My very under-informed understanding is that people usually don’t bother disabling or touching AppArmor because the profiles that Debian et downstream ship tend to be permissive enough to not be noticeable.

        2. 9

          The answer to all of your questions is: lack of sane defaults.