Securing a Redis Installation

Leave your reply

Introduction

Learn the basics of Redis security, and steps you can take to harden your Redis installation to make it more secure.

Requirements

  • A Cloud Server running Linux (CentOS 7 or Ubuntu 14.04).
  • Redis installed and running. See our article on Installing Redis on a 1&1 IONOS Linux Cloud Server if needed.
  • A basic understanding of Redis functionality and usage.
  • Familiarity with the Linux command line.

Overview

Redis is designed to be insecure by default. The creator/developer has stated his belief that building in security features would make Redis less user-friendly, and get in the way of people trying to do things quickly and easily with Redis. The official Redis position is that the vast majority of Redis installations will never (and should never) be exposed to the Internet.

Redis's "insecure by default" position means that you will need to take a few extra steps to protect your systems, particularly if you are using Redis in production, or in a way that exposes it to the Internet.

Set Up a Firewall

To prevent outside connections to Redis, you will want to configure your firewall to block the ports Redis listens to by default:

  • 6379
  • 16379
  • 26379

You can set up a firewall policy for Redis from your 1&1 Cloud Panel. Click Network > Firewall Policies.

Redis Security: Click Firewall Policies

Click Create.

Redis security: Click Create

Fill out a name for your firewall policy, then add any ports which need to be open for your server.

The firewall policy works as a whitelist. Any port which is NOT added to your firewall policy will be blocked by default. (In other words, in order to block access to the Redis ports, do NOT add them to your firewall policy.)

The easiest way to do this is to click Add Predefined Values and choose any services which need access to your server.

Redis security: Add predefined values

After each one, click the green + to add the rule and create a new line.

Redis security: Click green plus sign

After you have added all of the ports which need to be open, click Create.

Redis security: Click create

After the firewall policy has been created, you will need to assign your server to it. Click +Assign.

Redis security: Click Assign

Click to select the server(s) you want to add to the firewall policy, then click Save Changes.

Redis security: Save changes

Bind Redis to Localhost

By default in older versions, Redis will bind to all network interfaces after it is installed. If you are only accessing Redis from the same (host) server, it is wise to bind Redis to the loopback interface (127.0.0.1).

To do this, edit the redis.conf file:

sudo nano /etc/redis.conf

Scroll down until you find:

# bind 127.0.0.1

Uncomment this line by removing the #.

Note: In newer versions of Redis, this line is uncommented by default. If the line does not have a # then you do not need to do anything else.

When you are done editing redis.conf, save and exit the file, then restart Redis for the changes to take effect:

CentOS 7:

sudo systemctl restart redis.service
  • Ubuntu 14.04:
sudo service redis-server restart

Configure AUTH By Enabling Requirepass

Redis has a built-in basic password authentication feature. To enable it, edit the redis.conf file:

sudo nano /etc/redis.conf

Scroll down until you find:

# requirepass foobared

Uncomment this line by removing the # and replace foobared with a secure password.

When you are done editing redis.conf, save and exit the file, then restart Redis for the changes to take effect:

CentOS 7:

sudo systemctl restart redis.service
  • Ubuntu 14.04:
sudo service redis-server restart

Authenticating With Requirepass

After you have enabled requirepass you will need to authenticate with the password in order to work with Redis.

To to this, first enter the Redis client with the redis-cli command. Then use the command:

auth [your Redis password]

For example, if you set a password of Ak49yhAa28 you would use the command:

auth Ak49yhAa28

Redis will respond with OK.

[root@localhost html]# redis-cli
127.0.0.1:6379> auth Ak49yhAa28
OK

Rename or Disable Dangerous Commands

There are certain Redis commands which are rarely used by most people, but which have serious potential for abuse. You can either rename or disable these commands using the redis.conf file:

sudo nano /etc/redis.conf

Scroll down until you find:

# Command renaming.

At the end of this block, enter the commands you want to rename or disable, one per line. The syntax to rename a command is:

rename-command [command] [new command name]

For example, to rename the CONFIG command internal-config you would add the following line:

rename-command CONFIG internal-config

To disable a command, simply use "" instead of the new name. For example, to disable CONFIG you would add the following line instead:

rename-command CONFIG ""

Some commands we recommend renaming or disabling:

  • BGREWRITEAOF
  • BGSAVE
  • CONFIG
  • DEBUG
  • DEL
  • FLUSHALL
  • FLUSHDB
  • KEYS
  • PEXPIRE
  • RENAME
  • SAVE
  • SHUTDOWN
  • SPOP
  • SREM

When you are done editing redis.conf, save and exit the file, then restart Redis for the changes to take effect:

CentOS 7:

sudo service redis-server restart

Ubuntu 14.04:

sudo systemctl restart redis.service