Blogs

How To Install and Secure Redis on Ubuntu 20.04 – DigitalOcean

Posted on by admin

Introduction

Redis is an in-memory key-value store known for its flexibility, performance, and broad language support. This tutorial shows how to install, configure and secure Redis on an Ubuntu 20.04 server.

Prerequisites

To complete this guide, you will need access to an Ubuntu 20.04 server that has a non-root user with sudo privileges and a firewall configured with ufw. You can configure this by following our initial server setup guide for Ubuntu 20.04.

Step 1 — Installing and configuring

Redis

We will use the APT package manager to install Redis from the official Ubuntu repositories. At the time of writing, the version available in the default repositories is 5.0.7.

Start by updating the local apt package cache

: sudo apt update Then install Redis

by typing:

  1. sudo apt install redis-server

This will download and install Redis and its dependencies. Next, you need to make a major configuration change to the Redis configuration file, which was automatically generated during installation.

Open this file with your preferred text editor:

  1. sudo nano /etc/redis/redis.conf

Within the file, locate the monitored policy. This policy allows you to declare a startup system to manage Redis as a service, giving you more control over its operation. The monitored policy is set to no by default. Since you are running Ubuntu, which uses the systemd init system, change this to

systemd: . . . # If you run Redis from upstart or systemd, Redis can interact with your # monitoring tree. Options: # supervised no – no supervision interaction # supervised upstart – signal upstart putting Redis into SIGSTOP mode # systemd supervised – systemd signal writing READY=1 to $NOTIFY_SOCKET # self-supervised – detect upstart or systemd method based on # UPSTART_JOB or NOTIFY_SOCKET environment variables # Note: These monitoring methods only point to “the process is ready.” # They do not enable continuous life pings to your supervisor. supervised system . . .

That’s the only change you need to make to the Redis configuration file right now, so save and close it when you’re done. If you used nano to edit the file, do so by pressing CTRL+X, Y, then ENTER.

Next, restart the Redis service to

reflect the changes made to the configuration file:

  1. sudo systemctl restart redis.service

With that, you have installed and configured Redis and it is running on your machine. However, before you start using it, it is prudent to first check if Redis works properly.

Step 2 — Redis Test

As with any newly installed software, it’s a good idea to make sure Redis works as expected before making any further changes to its settings. We’ll go over some ways to verify that Redis is working properly in this step.

Start by verifying that the Redis service is running

:

  1. sudo systemctl status redis

If run without errors, this command will produce output similar to the following

: Output● redis-server.service – Advanced key-value store Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; provider preset: enabled) Active: Active (running) since Thu 2020-04-30 23:26:54 UTC; 4s Aug Docs: http://redis.io/documentation, man:redis-server(1) Process: 36552 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=0/SUCCESS) Main PID: 36561 (redis-server) Tasks: 4 (limit: 2345) Memory: 1.8M CGroup: /system.slice/redis-server.service └─36561 /usr/bin/redis-server 127.0.0.1:6379 . . .

Here, you can see that Redis is running and is already enabled, which means that it is set to start every time the server starts.

To verify that Redis is working correctly, connect to the server using redis-cli, the

Redis command-line client

:

  1. redis-cli

In the following message, test connectivity with the ping command:

  1. ping

OutputPONG

This output confirms that the server connection is still active. Then verify

that you can set keys by running: set test “It’s working!” OutputOK Retrieve the value

by typing

:

  1. get test

Assuming everything is

working, you will be able to retrieve the value you stored: Output”It

  1. ‘s working!”

After confirming that you can retrieve the value, exit the Redis prompt to return to the shell:

  1. exit

As a final test, we will check whether Redis can retain the data even after it has been stopped or restarted. To do this, first restart the Redis instance

:

  1. sudo systemctl restart redis

Then reconnect to the command-line client

:

  1. redis-cli

And confirm that the

test value is still available

  1. Get proof

The key value must still be accessible

: Output”It’s working!”

Exit the shell again when you are finished:

  1. Sign Out

With that, your Redis installation is fully operational and ready for use. However, some of your default settings are insecure and provide malicious actors with opportunities to attack and gain access to your server and data. The remaining steps of this tutorial cover the methods to mitigate these vulnerabilities, as prescribed by the official Redis website. Although these steps are optional and Redis will continue to work if you choose not to follow them, it is strongly recommended that you complete them to strengthen the security of your system.

Step 3 — Link

to localhost

By default, Redis can only be accessed from localhost. However, if you installed and configured Redis following a different tutorial than this one, you may have updated the configuration file to allow connections from anywhere. This is not as secure as binding to localhost.

To fix this, open the Redis configuration file for editing

:

  1. sudo nano /etc/redis/redis.conf

Locate this line and make sure it is not commented out (delete the # if it exists):

link 127.0.0.1 ::1

Save and close the file when you are finished (press CTRL+X, Y, and then ENTER).

Then, restart the service to ensure that systemd reads the changes:

  1. sudo systemctl restart

redis

To verify that this change has taken effect, run the following

netstat command:

  1. sudo netstat -lnp | grep redis Outputtcp

0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 14222/redis-server tcp6 0 0::1:6379 :::* LISTEN 14222/redis-server

This output shows that the redis-server program is bound to localhost (127.0.0.1), which reflects the change you just made to the configuration file. If you see another IP address in that column (0.0.0.0, for example), you should verify that you have not commented out the correct line and restart the Redis service again.

Now that your Redis installation is only listening on localhost, it will be harder for malicious actors to make requests or gain access to your server. However, Redis is not currently configured to require users to authenticate before making changes to their settings or the data they contain. To remedy this, Redis allows you to require users to authenticate with a password before making changes through the Redis client (redis-cli).

Step 4: Set up

a Redis

password Setting a Redis password enables one of its two built-in security features: the auth command, which requires clients to authenticate to access the database. The password is set directly in the Redis configuration

file, /etc/redis/redis.conf, so open that file again with your preferred editor:

  1. sudo nano /etc/redis/redis.conf

Scroll down to the SECURITY section and look for an annotated directive that says:

. . . # requirepass foobared . . .

Uncomment by deleting the #, and change foobared to a strong password.

After setting the password,

save and close the file, then

restart Redis:

  1. sudo systemctl restart redis.service

To verify that the password works, open the Redis client:

  1. redis-cli

Below is a script used to test whether

the Redis password works

. The first command tries to set a key to a value before authentication

:

  1. set key1 10

That won’t work because it wasn’t authenticated, so Redis returns an error:

Output(error) NOAUTH Authentication required.

The following command authenticates with the password specified in

the Redis configuration file:

  1. auth your_redis_password

Redis

recognizes

: OutputOK

After that, running the above command again will succeed:

set key1 10 outputOK get queries key1

Redis for the value of the new key.

  1. get key1

Output”

  1. 10

After confirming that you can run commands on the Redis client after authenticating, you can exit redis-cli:

  1. exit

Next, we’ll look at the renaming of Redis commands that,

if entered by mistake or by a malicious actor, could cause serious damage to your machine

.

Step 5 — Rename

dangerous commands

The other security feature built into Redis involves renaming or completely disabling certain commands that are considered dangerous

.

When executed by unauthorized users, such commands can be used to reconfigure, destroy, or erase your data. Like the authentication password, renaming or disabling commands is configured in the same SECURITY section of the /etc/redis/redis.conf file.

Some of the commands that are considered dangerous include: FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME, and DEBUG. This is not a complete list, but renaming or disabling all commands in that list is a good starting point for improving Redis server security.

Whether you should disable or rename a command depends on your specific needs or those of your site. If you know you’ll never use a command that can be abused, you can disable it. Otherwise, it might be in your best interest to change the name.

To rename

or disable Redis commands, open the configuration file once again

:

  1. sudo nano /etc/redis/redis.conf

To disable a command, simply rename it an empty string (represented by a pair of uncharacterized quotation marks between them), as shown below

: . . . # It is also possible to completely kill a command by renaming it to # an empty string: # rename-command FLUSHDB “”rename-command FLUSHALL “”rename-command DEBUG “” . . .

To rename a command, rename it, as shown in the following examples. Renamed commands should be hard for others to guess, but easy to remember:

. . . # rename-command CONFIG “” rename-command SHUTDOWN SHUTDOWN_MENOTrename-command CONFIG ASC12_CONFIG . . .

Save your changes and close the file.

After you rename a command, apply the change by restarting Redis:

  1. sudo systemctl restart redis.service To

test the new command, type

the Redis command line:

  1. redis-cli

Next, authenticate:

  1. auth your_redis_password

OutputOK

Suppose you renamed the CONFIG command to ASC12_CONFIG, as in the previous example. First, try using the original CONFIG command. It should fail, because you have

renamed it: config

  1. get requirepass

Output(error) ERR unknown command ‘config’, with args starting with:

However, calling the renamed command will be successful. Not case sensitive

: asc12_config get requirepass Output1) “

  1. requirepass

” 2) “your_redis_password” Finally, you can exit redis-cli:

  1. exit

Note that if you are already using the Redis command line and then

restart Redis,

you will need to reauthenticate. Otherwise, you will get this error if you type a command:

OutputNOAUTH authentication is required.

Conclusion

In this tutorial, you installed and configured Redis, validated that your Redis installation is working properly, and used its built-in security features to make it less vulnerable to attack by malicious actors

.

Keep in mind that once someone logs into your server, it’s very easy to bypass the Redis-specific security features we’ve implemented. Therefore, the most important security feature on your Redis server is your firewall (which you configured if you followed the initial server setup tutorial as a prerequisite), as this makes it extremely difficult for malicious actors to jump that fence.

admin