×
Community Blog Boosting Redis's Security in Four Easy Steps

Boosting Redis's Security in Four Easy Steps

In this tutorial, you'll learn how you can beef up Redis's security configurations so that you can more securely enjoy all the features Redis has to offer.

By Alex Mungai Muchiri, Alibaba Cloud Community Blog author

Redis is a widely used open-source store for data structures with applications as a cache, database, or as a message broker. You can use a variety of data structures such as strings, hashes, lists, sorted sets, and geospatial indexes. Redis is also popular in the developer community and has many great features such as built-in replication, Lua scripting, LRU eviction, transactions, and reliable disk persistence.

However, despite all of its advantages, Redis doesn't have very many security protocols and as a result is best for use in a trusted environment by trusted clients. In fact, the official Redis website acknowledges this fact and even warns against exposing Redis instances to the wild open Internet or where unfiltered clients can access Redis's TCP port or UNIX socket.

That is, while Redis may be highly optimized for performance and ease of use rather than security, its security implementations are a bit lack luster and basic at best. For example, You can set a password and rename or disable commands, but mind you, that password you set is not encrypted and the setup does not have any sort of reliable access control system.

Therefore, it's wise to find alternative ways to secure your Redis. In this tutorial, you'll explore precisely that. You'll move beyond Redis's basic security configurations in four simple steps. In the tutorial, you will enhance Redis's security through several configuration changes on your Alibaba Cloud instance. The setup in this tutorial has been boiled down to the bare basics, and so in this tutorial you won't be setting up an SSL proxy or VPN. With that said, let's dive right into it.

Requirements

You will require the following things for this tutorial:

  • An Alibaba ECS instance with Ubuntu 18.04 installed
  • A non-root user with sudo privileges for your ECS instance
  • A firewall configured with UFV
  • Redis running on your server instance

Note: In this tutorial, we won't be going into too detail about how to install and configure Redis on your server. Rather, we will be focusing on the the security of your installation process.

Some Preliminary Steps: Protect Against Known Redis Vulnerabilities

It's important that you make sure that your instance, and Redis and everything is secure before you follow the steps laid out.

Improper configurations on your Redis installation may allow attackers to gain access and cause some serious damage. It is possible that your Redis installation running under the root user could be vulnerable to SSH attacks, whereby attackers attack a public key to the account and SSH into your server. By gaining access to your server in such a manner, they can assign themselves privileges, access data, steal information or deny you access. Attackers can add accounts and SSH into your server remotely if you have an insecure installation and this poses serious business risks. However, not all Redis versions are affected by this security loophole.

First, ensure that your installed version is not affected by attempting a login from a user without a Redis account like so:

flasky@Tuts:~ $ redis-cli -h 95.179.161.105 -p 6379
redis 95.179.161.105:6379> keys *
1) "1"`

Next, ensure that you replace with your own server IP address. Secure connections should show something like the following response:

Could not connect to Redis at 95.179.161.105:6379: Connection refused

If you are able to connect, that means that your Redis version does not have authentication enabled by default. Nonetheless, you will still require to harden your security by following the steps below:

Step 1: Create a Password for your Redis Application

In this step, you'll set up a Redis password, which uses the auth command to authenticate users to the database. You will require to open the configuration file to set up the password directly. Open the file in your text editor (in our case, it's Nano), like so:

sudo nano /etc/redis/redis.conf

In the SECURITY section, remove the # symbol on the comment and change the default password (foobared) to a more secure password:

/etc/redis/redis.conf
requirepass UCwgmee(/G\p6<a_

Use a strong password that is hard for hackers to guess, or generate one online using a tool like passwords generator. Save the changes and exit the editor. Run the following command to restart the Redis service:

sudo systemctl restart redis.service

Run the Redis command line to verify that the password you saved works like so:

redis-cli

next, try authenticating by running the command below:

auth password

Below is an output from a working password:

Output
OK

This proves that we have set a password and that it is working. We are now ready to proceed to the next step, which involves refining service authorisations.

Step 2: Limit Access to Localhost and Trusted IPs

Usually, you can only access Redis from localhost as a default setting. However, there are various setup techniques, which could allow connections from other sources other than localhost. Binding Redis to the localhost is the most secure way to implement your Redis installation. We shall begin by opening the configuration file like so:

sudo nano /etc/redis/redis.conf

In the file, locate the following line and remove any comments from it or # symbols like so:

/etc/redis/redis.conf
bind 127.0.0.1

Save the file and exit the text editor. You should then restart the service so that the changes can take effect. Run the command below:

sudo systemctl restart redis

Next, verify that the changes have taken effect by running the command below:

sudo netstat -lnp | grep redis

You should anticipate an output like the one below:

Output
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      2855/redis-server 1

From the above output, you can see that the redis-server program was bound to localhost (127.0.0.1) and thus the changes have taken effect. If you see a different IP address other than the one we just placed in the configuration file, double check the file again, restart the service and run this test once more.

You can also add trusted IP addresses that can access your Redis installation by binding them like so:

sudo nano /etc/redis/redis.conf
bind 192.168.100.10 10.0.0.1

Restart Redis once more so that changes can take effect.

When bound to localhost, the risk of malicious attackers gaining access to your Redis installation reduced dramatically. However, that alone is not sufficient because we still need user authentication before allowing changes to the configuration files.

Step 3: Setting up a Firewall

A firewall policy can prevent unauthorised IP addresses from accessing your Redis service, especially if other servers need to be granted access. By default, you access Redis via port 6379. Update iptables to only accept connections from certain IP addresses like so:

iptables -A INPUT -s x.x.x.x -p tcp --dport 6379 -j ACCEPT

Where, x.x.x.x is an authorized IP address.

Redis runs on your ECS instance just like any other application. This first step involves boosting your server's security implementation because Redis has little security on its own. For this first step, we shall be required to configure a firewall for our Ubuntu 18.04 server. Alibaba Cloud has provided extensive documentation on how to add security group rules on your server. You can also check this tutorial for information about how to install a firewall on your Ubuntu server.

Proper UFW configuration will stop all incoming traffic that has not been allowed by the firewall rules. Therefore, you won't need any additional rules for Redis as it shall already be covered. All good now, please check the guides from the links above for more information on how to set up the firewall rules on your Alibaba ECS instance. However, for any number of reasons, such as limited privileges on your account, you may not be able to access the UFW configuration. You can still limit access from Redis configuration file as illustrated in the next step.

Step 4: Refine Service Authorisation

In this step, we shall rename and disable commands that make our installation potentially insecure. Such commands could be used by unauthorized users to interfere with data stored in Redis. You should be able to rename commands from the Security section of your /etc/redis/redis.conf file. In most cases, FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME, DEBUG and EVAL are some of the commands that are considered dangerous. A comprehensive list of dangerous commands can be found here. There are many more, and the next step is either renaming them or disabling them entirely if you do not intend to use them. We shall open the configuration file in Nano as before by running the command below:

sudo nano  /etc/redis/redis.conf

You disable commands by setting them to an empty string like so:

/etc/redis/redis.conf
. . .
rename-command CONFIG ""
rename-command flushall ""
rename-command flushdb ""
. . .

Additionally, you can also rename commands so that others find it difficult to guess but still remain relatively easy for you to remember. See the example below:

/etc/redis/redis.conf
. . .
rename-command PEXPIRE EN_PEXPIRE
rename-command KEYS SEC_KEYS
. . .

Save the changes and close the editor. Then, run the command below to restart Redis:

/etc/init.d/redis-server restart

Test the new service authorizations by logging into the Redis database using your password

If you try using an original command that we have just renamed, you should get an error message. Let us try the PEXPIRE command:

Let's create a key like so:

127.0.0.1:6379> SET alicloud redis 

Now lets run the 'PEXPIRE' command like so:

127.0.0.1:6379> PEXPIRE alicloud 5000 

You'll see an output like the one below:

Output
(error) ERR unknown command 'PEXPIRE'

We renamed PEXPIRE to a different name and hence the error. Next, try calling the command we just renamed and see how it goes:

127.0.0.1:6379> EN_PEXPIRE alicloud 5000 

Your output will look like this:

(integer) 1

The second attempt is successful because we were able to rename the command. Exit from the client with the exit command.

Run Configuration Test

Now that you have gone through the four steps required to secure your Redis installation in this tutorial, let's now test to see if Redis is still properly configured. To do this, first, open the Redis command line with the redis-cli command. Assuming that you have a password, use the auth command, so to authenticate your server, and then run a ping command to test the connection. Next, if you see PONG as your output, then you know that everything is ay-okay. So in other words, you have successfully hardened our Redis security.

Conclusion

In this blog, you have made your Redis configuration on your instance much more secure. Of the things you've done, the most important feature is the firewall. This is because it prevents many security backdoors on your Redis application. Keep in mind that this tutorial is only safe for cases where a single server is in use. Go ahead, try something new on your Redis installation.

Don't have an Alibaba Cloud account? Sign up for an account and try over 40 products for free worth up to $1200. Get Started with Alibaba Cloud to learn more.

0 0 0
Share on

Alex

28 posts | 4 followers

You may also like

Comments

Alex

28 posts | 4 followers

Related Products