Introduction
Redis is an in-memory key-value store known for its flexibility, performance, and broad language support. This tutorial shows how to install, configure and secure Redis on an Ubuntu 20.04 server.
Prerequisites
To complete this guide, you will need access to an Ubuntu 20.04 server that has a non-root user with sudo privileges and a firewall configured with ufw. You can configure this by following our initial server setup guide for Ubuntu 20.04.
Step 1 — Installing and configuring
Redis
We will use the APT package manager to install Redis from the official Ubuntu repositories. At the time of writing, the version available in the default repositories is 5.0.7.
Start by updating the local apt package cache
: sudo apt update Then install Redis
by typing:
- sudo apt install redis-server
This will download and install Redis and its dependencies. Next, you need to make a major configuration change to the Redis configuration file, which was automatically generated during installation.
Open this file with your preferred text editor:
- sudo nano /etc/redis/redis.conf
Within the file, locate the monitored policy. This policy allows you to declare a startup system to manage Redis as a service, giving you more control over its operation. The monitored policy is set to no by default. Since you are running Ubuntu, which uses the systemd init system, change this to
systemd: . . . # If you run Redis from upstart or systemd, Redis can interact with your # monitoring tree. Options: # supervised no – no supervision interaction # supervised upstart – signal upstart putting Redis in SIGSTOP mode # systemd supervised – systemd signal writing READY=1 to $NOTIFY_SOCKET # self-supervised – detect upstart or systemd method based on # UPSTART_JOB or NOTIFY_SOCKET environment variables # Note: These monitoring methods only indicate “the process is ready”. # They do not allow continuous life pings to their supervisor. supervised system . . .
That’s the only change you need to make to the Redis configuration file right now, so save and close it when you’re done. If you used nano to edit the file, do so by pressing CTRL+X, Y, then ENTER.
Next, restart the Redis service to
reflect the changes made to the configuration file:
- sudo systemctl restart redis.service
With that, you have installed and configured Redis and it is running on your machine. However, before you start using it, it is prudent to first check if Redis works properly.
Step 2 — Redis Test
As with any newly installed software, it’s a good idea to make sure Redis works as expected before making any further changes to its settings. We’ll go over some ways to verify that Redis is working properly in this step.
Start by verifying that the Redis service is running
:
- sudo systemctl status redis
If run without errors, this command will produce output similar to the following
: Output● redis-server.service – Advanced key-value store Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; provider preset: enabled) Active: Active (running) since Thu 2020-04-30 23:26:54 UTC; 4s Aug Docs: http://redis.io/documentation, man:redis-server(1) Process: 36552 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=0/SUCCESS) Main PID: 36561 (redis-server) Tasks: 4 (limit: 2345) Memory: 1.8M CGroup: /system.slice/redis-server.service └─36561 /usr/bin/redis-server 127.0.0.1:6379 . . .
Here, you can see that Redis is running and is already enabled, which means that it is set to start every time the server starts.
To verify that Redis is working correctly, connect to the server using redis-cli, the
Redis command-line client
:
- redis-cli
In the following message, test connectivity with the ping command:
- ping
OutputPONG
This output confirms that the server connection is still active. Next, check that you can configure the keys by running:
- set test “It’s working!”
OutputOK Retrieve the value
by typing
:
- get test
Assuming everything works, you will be able to retrieve the value you stored:
Output”It’s working!” After confirming that you can get the value, exit the Redis
prompt to return to the shell:
- exit
As a final test, we will check if Redis can retain the data even after it has been stopped or restarted. To do this, first restart the Redis instance
:
- sudo systemctl restart redis
Then reconnect to the command-line client
:
- redis-cli
And confirm that the
test value is still available
- Get proof
The key value must remain accessible:
Output”It’s working!”
Exit the shell again when you’re done:
- exit
With that, your Redis installation is fully operational and ready for use. However, some of your default settings are insecure and provide malicious actors with opportunities to attack and gain access to your server and data. The remaining steps of this tutorial cover the methods to mitigate these vulnerabilities, as prescribed by the official Redis website. Although these steps are optional and Redis will continue to work if you choose not to follow them, it is strongly recommended that you complete them to strengthen the security of your system.
Step 3 — Link
to localhost
By default, Redis can only be accessed from localhost. However, if you installed and configured Redis following a different tutorial than this one, you may have updated the configuration file to allow connections from anywhere. This is not as secure as binding to localhost.
To fix this, open the Redis configuration file for editing
:
- sudo nano /etc/redis/redis.conf
Locate this line and make sure it is not commented out (delete the # if it exists):
link 127.0.0.1 ::1
Save and close the file when you are finished (press CTRL+X, Y, and then ENTER).
Then, restart the service to ensure that systemd reads the changes:
- sudo systemctl restart
redis
To verify that this change has taken effect, run the following
netstat command:
- sudo netstat -lnp | grep redis Outputtcp
0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 14222/redis-server tcp6 0 0::1:6379 :::* LISTEN 14222/redis-server
This output shows that the redis-server program is bound to localhost (127.0.0.1), which reflects the change you just made to the configuration file. If you see another IP address in that column (0.0.0.0, for example), you should verify that you have not commented out the correct line and restart the Redis service again.
Now that your Redis installation is only listening on localhost, it will be harder for malicious actors to make requests or gain access to your server. However, Redis is not currently configured to require users to authenticate before making changes to their settings or the data they contain. To remedy this, Redis allows you to require users to authenticate with a password before making changes through the Redis client (redis-cli).
Step 4: Set up
a Redis
password Setting a Redis password enables one of its two built-in security features: the auth command, which requires clients to authenticate to access the database. The password is set directly in the Redis configuration
file, /etc/redis/redis.conf, so open that file again with your preferred editor:
- sudo nano /etc/redis/redis.conf
Scroll down to the SECURITY section and look for an annotated directive that says:
. . . # requirepass foobared . . .
Uncomment by deleting the #, and change foobared to a strong password.
After setting the password,
save and close the file, then
restart Redis:
- sudo systemctl restart redis.service
To verify that the password works, open the Redis client:
- redis-cli
Below is a script used to test whether
the Redis password works
. The first command tries to set a key to a value before authentication
:
- set key1 10
That won’t work because it wasn’t authenticated, so Redis returns an error:
Output(error) NOAUTH Authentication required.
The following command authenticates with the password specified in
the Redis configuration file:
- auth your_redis_password
Redis recognizes
: OutputOK
After that, running the above command again will succeed:
set key1 10 outputOK get key1
Redis query for the value of the new key.
- get key1
Output”
- 10
”
After confirming that you can run commands on the Redis client after authenticating, you can exit redis-cli:
- exit
Next, we’ll look at the renaming of Redis commands that,
if entered by mistake or by a malicious actor, could cause serious damage to your machine
.
Step 5 — Rename
dangerous commands
The other security feature built into Redis involves renaming or completely disabling certain commands that are considered dangerous
.
When executed by unauthorized users, such commands can be used to reconfigure, destroy, or erase your data. Like the authentication password, renaming or disabling commands is configured in the same SECURITY section of the /etc/redis/redis.conf file.
Some of the commands that are considered dangerous include: FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME, and DEBUG. This is not a complete list, but renaming or disabling all commands in that list is a good starting point for improving Redis server security.
Whether you should disable or rename a command depends on your specific needs or those of your site. If you know you’ll never use a command that can be abused, you can disable it. Otherwise, it might be in your best interest to change the name.
To rename
or disable Redis commands, open the configuration file once again
:
- sudo nano /etc/redis/redis.conf
To disable a command, simply rename it an empty string (represented by a pair of uncharacterized quotation marks between them), as shown below
: . . . # It is also possible to completely kill a command by renaming it to # an empty string: # rename-command FLUSHDB “”rename-command FLUSHALL “”rename-command DEBUG “” . . .
To rename a command, rename it, as shown in the following examples. The renamed commands should be hard for others to guess, but easy for you to remember:
. . . # rename-command CONFIG “” rename-command SHUTDOWN SHUTDOWN_MENOTrename-command CONFIG ASC12_CONFIG . . .
Save your changes and close the file.
After you rename a command, apply the change by restarting Redis:
- sudo systemctl restart redis.service To
test the new command, type
the Redis command line:
- redis-cli
Next, authenticate:
- auth your_redis_password
OutputOK
Suppose you renamed the CONFIG command to ASC12_CONFIG, as in the previous example. First, try using the original CONFIG command. It should fail, because you have
renamed it: config
- get requirepass
Output(error) ERR unknown command ‘config’, with args starting with:
However, calling the renamed command will be successful. Not case sensitive
: asc12_config get requirepass Output1) “
- requirepass
” 2) “your_redis_password” Finally, you can exit redis-cli:
- exit
Note that if you are already using the Redis command line and then
restart Redis,
you will need to reauthenticate. Otherwise, you will get this error if you type a command:
OutputNOAUTH authentication is required.
Conclusion
In this tutorial, you installed and configured Redis, validated that your Redis installation is working properly, and used its built-in security features to make it less vulnerable to attack by malicious actors
.
Keep in mind that once someone logs into your server, it’s very easy to bypass the Redis-specific security features we’ve implemented. Therefore, the most important security feature on your Redis server is your firewall (which you configured if you followed the initial server setup tutorial as a prerequisite), as this makes it extremely difficult for malicious actors to jump that fence.