Introduction
Redis is a datastore that can store key-value data structures on memory as well as on disk, by optimizing the rapid creation of applications through the availability of very versatile data structures.
Therefore, it represents one of the best solutions for developing applications that require rapid data exchange in real time. For different contexts of application, it's one of the most used open source databases nowadays.
In this tutorial you will be shown how to install, configure and secure Redis on a Linux Ubuntu 20.04 server.
First, connect to your server via an SSH connection. If you haven't done so yet, following our guide is recommended to connect securely with the SSH protocol. In case of a local server, go to the next step and open the terminal of your server.
Installing and configuring Redis
Redis can be securely installed using the official Ubuntu libraries, as it is a version included by default.
First, make sure you have updated your local apt package via the command:
$ sudo apt update
Then, proceed with the installation of Redis, by typing:
$ sudo apt install redis-server
This will install Redis and its dependencies.
Now, change the default configuration after installation.
To open the configuration file, use the text editor of your choice. In the example below, nano will be used.
$ sudo nano /etc/redis/redis.conf
In the file, there will be an entry called supervised , which allows you to specify an init-system to tune Redis as a service, for better software control.
The directive is set to no by default. To enable a check through Ubuntu,set it as a systemd entry . See an example below:
# If Redis is run from upstart or systemd, it can interact with your
# supervision tree. Options:
# supervised no - no supervision interaction
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
# supervised auto - detect upstart or systemd method based on
# UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
# They do not enable continuous liveness pings back to your supervisor.
supervised systemd
When it is done, remember to close the file and save the current settings. In case of nano, just use CTRL + X and Enter.
To apply the new setting, restart Redis via command:
$ sudo systemctl restart redis.service
At this point, before using Redis, run some tests to verify its correct functioning.
Testing Redis operation
To verify that Redis is working, first check if it is running correctly via the command:
$ sudo systemctl status redis
In the output produced, check that enabled appears under Loaded and active (running) under Active .
Here's an example of what the output should look like, in case Redis works as expected:
redis-server.service - Advanced key-value store
Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-04-30 23:26:54 UTC; 4s ago
Docs: http://redis.io/documentation,
man:redis-server(1)
Process: 36552 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=0/SUCCESS)
Main PID: 36561 (redis-server)
Tasks: 4 (limit: 2345)
Memory: 1.8M
CGroup: /system.slice/redis-server.service
└─36561 /usr/bin/redis-server 127.0.0.1:6379
If everything goes as indicated, a confirmation that Redis will run every time your Ubuntu server starts should be displayed.
N.B. If you prefer sending a manual command each time to start the application, just disable the automatic start using the command:
$ sudo systemctl disable redis
Now, check that Redis is working properly, as well as being running.
Start by connecting Redis to the server via the client command:
$ redis-cli
In the prompt that follows, use the ping command to test connectivity:
127.0.0.1:6739> ping
An output similar to the following, which indicates that the connection to the server is active, should be shown:
PONG
To continue with the test, try now to set a key with a certain value using the set command .
127.0.0.1:6739> set test “It works!”
Now, try to display the value of the newly created key on the screen:
127.0.0.1:6739> get test
If the output is exactly the value previously specified, verify that everything is working correctly.
After completing the assessment, exit the Redis prompt using the exit command .
127.0.0.1:6739> exit
Finally, check the persistence of the data. This is to make sure that if Redis is restarted, the set values continue to exist.
To check it, use the key you just set.
Restart Redis via the command:
$ sudo systemctl restart redis
Open the Redis terminal again via:
$ redis-cli
Use the
get command to extrapolate the value of the
test key :
127.0.0.1:6739> get test
If the value entered before appears as an output, the test is completed. All you have to do is exit the Redis terminal used again
exit.
At this point in the guide, Redis should be running without any problems, but it is recommended to make it secure first. In fact, some default settings could make your server exposed to external attacks, which would allow malicious users to access the data t in it.
It is therefore strongly recommended to continue with the next steps in order to ensure the safe operation of Redis.
Forcing Redis to the localhost
If you followed this guide without changing any Redis settings, be aware that the program is by default forced to connect only with the localhost.
However, if in doubt or have previously allowed connections from another host, then go back to the localhost constraint setting.
Start by opening the Redis configuration file in your text editor. In the example the nano command is used :
$ sudo nano /etc/redis/redis.conf
In the file, look for this line and be sure to uncomment it by removing the "#" character
bind 127.0.0.1 ::1
After editing, save and close the file by following the key combination CTRL + X and Enter. Then, restart Redis again with the command:
$ sudo systemctl restart redis
Now, simply check that the changes have been applied by running the netstat command.
$ sudo netstat -lnp | grep redis
N.B. If the netstat command is not recognized, install it by entering in the terminal:
$ sudo apt install net-tools
The output shown will look as follows:
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 14222/redis-server
tcp6 0 0 ::1:6379 :::* LISTEN 14222/redis-server
Looking at the IP address specified in the first line (127.0.0.1), notice that the Redis connection will only be forced to connect to the localhost .
N.B. If another IP address appears in that column, it may be because the previously specified item has not been uncommented or Redis has not been restarted to apply the changes.
At this point, you should be protected from attacks by malicious users. However, an authentication mechanism in Redis that activates in case a user wants to modify data should be inserted through the redis-cli client.
Configuring a password for Redis
Setting up an authentication mechanism is the first configurable security option in Redis. Basically, specify, in the configuration file, a password to be requested from any user who wishes to access the database.
Start by opening the Redis configuration file.
$ sudo nano /etc/redis/redis.conf
Scrolling through the file, there will be a section called SECURITY , where this entry will be shown:
# requirepass foobared
By decommissioning the line, i.e. removing the #, and inserting a password in place of the "foobared" entry,the authentication mechanism will be.
enabled
Redis password security
Inside the Redis configuration file, under the heading for authentication, there will be a note you should pay particular attention to:
# Warning: since Redis is pretty fast, an outside user can try up to
# 150k passwords per second against a good box. This means that the user should
# use a very strong password otherwise it will be very easy to break.
#
The note explains that, due to the speed of Redis, it is very easy for a malicious user to be facilitated in a bruteforce attack. So it is advisable to set a very long and difficult password.
The openssl command helps you produce a string of alphanumeric characters of a you have established length. By using the command properly, an effective password, difficult to find, can be obtained.
$ openssl rand 60 | openssl base64 -A
- In the first part of the command, specify to output a random character ( rand ) in a string as long as the number indicated.
- In the second part, be sure that the output is produced without wrapping.
The output should look as follows:
RBOJ9cCNoGCKhlEBwQLHri1g+atWgn4Xn4HwNUbtzoVxAYxkiYBi7aufl4MILv1nxBqR4L6NNzI0X6cE
At this point, just copy and paste the string generated to the requirepass entry , as previously seen, to set a strong password.
Finally, testing the activation of the authentication protocol is needed.
Restart Redis via the command:
$ sudo systemctl restart redis.service
To verify that the password works, launch the Redis client and try to change the data.
Start by opening the client:
$ redis-cli
Now, try setting a new key with a certain value:
127.0.0.1:6739> set key1 10
An error stating that the command cannot be executed without authentication should be displayed.
To authenticate, just use the auth command , as shown below:
127.0.0.1:6739> auth password
N.B. Clearly replace ‘password’ with the passwordset before.
Having obtained the typical OK from Redis, you have successfully authenticated and can try the previous command again. This time a confirmation output will be shown.
By asking Redis for the value of key1othe value set should be readable. To do so, use the get command as below:
127.0.0.1:6739> get key1
If the output is correct, the authentication test will be completed. Then,exit the Redis client via the command:
127.0.0.1:6739> quit
The last step concerns the modification of Redis command names. This is necessary to prevent them from being used by mistake or by an attacker and consequently cause serious operational damage.
Renaming dangerous commands
The second option for Redis security is to rename or delete dangerous commands.
Some commands are very dangerous as they can allow an attacker to overwrite, modify or reconfigure data within Redis.
To enable a setting that allows you to avoid this possibility, open the configuration file and move back to the SECURITY section .
Not being able to indicate them all, a basic package of commands, which should be modified, is shown. This is in order to guarantee an adequate level of security:
FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME, DEBUG.
Obviously the user is extremely free when choosing the commands to use, so that, according to its necessities, can be easier to modify. . Here there is a list of Redis commands and their possible abuses.
To proceed with the change, start by opening the configuration file:
$ sudo nano /etc/redis/redis.conf
In the SECURITY section, just add the rename-command entry , followed by the original name of the command and the new name totbe assigned.
rename-command SHUTDOWN SHUTDOWN_MENOT
rename-command CONFIG ASC12_CONFIG
To completely remove a command, just apply the same entry but, instead of the new name, insert two quotes which, indicating an empty string, will suggest Redis to disable the command concerned.
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
As usual, to save the changes, close and save the configuration file and restart Redis via the command:
$ sudo systemctl restart redis.service
To proceed with the verification, start by opening the Redis client via:
$ redis-cli
Authenticate with:
$ auth password
Once the preliminary steps are over, try the commands that have been renamed. Taking as an example the CONFIG command, renamed to ASC12_CONFIG , first, check that the original command is not recognized as valid, having been renamed.
The string:
127.0.0.1:6739> config get requirepass
should produce an error output like the following:
(error) ERR unknown command `config`, with args beginning with:
If the renamed command is entered, even in lowercase, Redis should recognize it as valid:
127.0.0.1:6739> asc12_config get requirepass
The output should look as follows:
1) "requirepass"
2) "your_redis_password"
After checking, exit Redis using the exit command .
Remember that by restarting Redis after logging in you will be requested to log in again.
Notes on renaming commands
Within the SECURITY section of the configuration file, there is another warning about renaming commands.
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to replicas may cause problems.
Basically, the AOF file is transmitted from the master to the slaves : when changing the commands inside it only in the master , malfunctions can be generated due to the conflict of the command names.
It is also strongly recommended to carry out these changes just after the installation of Redis, avoiding changes after the “distribution”, or to make sure that the changes are made on all slaves .
Conclusions
Thanks to this guide, you were able to not only install Redis on your Linux Ubuntu server, but also set up a good security configuration.
Obviously, remember that the maximum protection of your Redis server is ensured by the firewall setting, as malicious users may also be able to circumvent the normal security settings.