By Alex Mungai Muchiri, Alibaba Cloud Community Blog author
Redis is a widely used open-source store for data structures with applications as a cache, database, or as a message broker. You can use a variety of data structures such as strings, hashes, lists, sorted sets, and geospatial indexes. Redis is also popular in the developer community and has many great features such as built-in replication, Lua scripting, LRU eviction, transactions, and reliable disk persistence.
However, despite all of its advantages, Redis doesn't have very many security protocols and as a result is best for use in a trusted environment by trusted clients. In fact, the official Redis website acknowledges this fact and even warns against exposing Redis instances to the wild open Internet or where unfiltered clients can access Redis's TCP port or UNIX socket.
That is, while Redis may be highly optimized for performance and ease of use rather than security, its security implementations are a bit lack luster and basic at best. For example, You can set a password and rename or disable commands, but mind you, that password you set is not encrypted and the setup does not have any sort of reliable access control system.
Therefore, it's wise to find alternative ways to secure your Redis. In this tutorial, you'll explore precisely that. You'll move beyond Redis's basic security configurations in four simple steps. In the tutorial, you will enhance Redis's security through several configuration changes on your Alibaba Cloud instance. The setup in this tutorial has been boiled down to the bare basics, and so in this tutorial you won't be setting up an SSL proxy or VPN. With that said, let's dive right into it.
You will require the following things for this tutorial:
Note: In this tutorial, we won't be going into too detail about how to install and configure Redis on your server. Rather, we will be focusing on the the security of your installation process.
It's important that you make sure that your instance, and Redis and everything is secure before you follow the steps laid out.
Improper configurations on your Redis installation may allow attackers to gain access and cause some serious damage. It is possible that your Redis installation running under the root user could be vulnerable to SSH attacks, whereby attackers attack a public key to the account and SSH into your server. By gaining access to your server in such a manner, they can assign themselves privileges, access data, steal information or deny you access. Attackers can add accounts and SSH into your server remotely if you have an insecure installation and this poses serious business risks. However, not all Redis versions are affected by this security loophole.
First, ensure that your installed version is not affected by attempting a login from a user without a Redis account like so:
flasky@Tuts:~ $ redis-cli -h 95.179.161.105 -p 6379
redis 95.179.161.105:6379> keys *
1) "1"`Next, ensure that you replace with your own server IP address. Secure connections should show something like the following response:
Could not connect to Redis at 95.179.161.105:6379: Connection refusedIf you are able to connect, that means that your Redis version does not have authentication enabled by default. Nonetheless, you will still require to harden your security by following the steps below:
In this step, you'll set up a Redis password, which uses the auth command to authenticate users to the database. You will require to open the configuration file to set up the password directly. Open the file in your text editor (in our case, it's Nano), like so:
sudo nano /etc/redis/redis.confIn the SECURITY section, remove the # symbol on the comment and change the default password (foobared) to a more secure password:
/etc/redis/redis.confrequirepass UCwgmee(/G\p6<a_Use a strong password that is hard for hackers to guess, or generate one online using a tool like passwords generator. Save the changes and exit the editor. Run the following command to restart the Redis service:
sudo systemctl restart redis.serviceRun the Redis command line to verify that the password you saved works like so:
redis-clinext, try authenticating by running the command below:
auth passwordBelow is an output from a working password:
Output
OKThis proves that we have set a password and that it is working. We are now ready to proceed to the next step, which involves refining service authorisations.
Usually, you can only access Redis from localhost as a default setting. However, there are various setup techniques, which could allow connections from other sources other than localhost. Binding Redis to the localhost is the most secure way to implement your Redis installation. We shall begin by opening the configuration file like so:
sudo nano /etc/redis/redis.confIn the file, locate the following line and remove any comments from it or # symbols like so:
/etc/redis/redis.confbind 127.0.0.1Save the file and exit the text editor. You should then restart the service so that the changes can take effect. Run the command below:
sudo systemctl restart redisNext, verify that the changes have taken effect by running the command below:
sudo netstat -lnp | grep redisYou should anticipate an output like the one below:
Output
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 2855/redis-server 1From the above output, you can see that the redis-server program was bound to localhost (127.0.0.1) and thus the changes have taken effect. If you see a different IP address other than the one we just placed in the configuration file, double check the file again, restart the service and run this test once more.
You can also add trusted IP addresses that can access your Redis installation by binding them like so:
sudo nano /etc/redis/redis.confbind 192.168.100.10 10.0.0.1Restart Redis once more so that changes can take effect.
When bound to localhost, the risk of malicious attackers gaining access to your Redis installation reduced dramatically. However, that alone is not sufficient because we still need user authentication before allowing changes to the configuration files.
A firewall policy can prevent unauthorised IP addresses from accessing your Redis service, especially if other servers need to be granted access. By default, you access Redis via port 6379. Update iptables to only accept connections from certain IP addresses like so:
iptables -A INPUT -s x.x.x.x -p tcp --dport 6379 -j ACCEPTWhere, x.x.x.x is an authorized IP address.
Redis runs on your ECS instance just like any other application. This first step involves boosting your server's security implementation because Redis has little security on its own. For this first step, we shall be required to configure a firewall for our Ubuntu 18.04 server. Alibaba Cloud has provided extensive documentation on how to add security group rules on your server. You can also check this tutorial for information about how to install a firewall on your Ubuntu server.
Proper UFW configuration will stop all incoming traffic that has not been allowed by the firewall rules. Therefore, you won't need any additional rules for Redis as it shall already be covered. All good now, please check the guides from the links above for more information on how to set up the firewall rules on your Alibaba ECS instance. However, for any number of reasons, such as limited privileges on your account, you may not be able to access the UFW configuration. You can still limit access from Redis configuration file as illustrated in the next step.
In this step, we shall rename and disable commands that make our installation potentially insecure. Such commands could be used by unauthorized users to interfere with data stored in Redis. You should be able to rename commands from the Security section of your /etc/redis/redis.conf file. In most cases, FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME, DEBUG and EVAL are some of the commands that are considered dangerous. A comprehensive list of dangerous commands can be found here. There are many more, and the next step is either renaming them or disabling them entirely if you do not intend to use them. We shall open the configuration file in Nano as before by running the command below:
sudo nano /etc/redis/redis.confYou disable commands by setting them to an empty string like so:
/etc/redis/redis.conf. . .
rename-command CONFIG ""
rename-command flushall ""
rename-command flushdb ""
. . .Additionally, you can also rename commands so that others find it difficult to guess but still remain relatively easy for you to remember. See the example below:
/etc/redis/redis.conf. . .
rename-command PEXPIRE EN_PEXPIRE
rename-command KEYS SEC_KEYS
. . .Save the changes and close the editor. Then, run the command below to restart Redis:
/etc/init.d/redis-server restartTest the new service authorizations by logging into the Redis database using your password
If you try using an original command that we have just renamed, you should get an error message. Let us try the PEXPIRE command:
Let's create a key like so:
127.0.0.1:6379> SET alicloud redis Now lets run the 'PEXPIRE' command like so:
127.0.0.1:6379> PEXPIRE alicloud 5000 You'll see an output like the one below:
Output
(error) ERR unknown command 'PEXPIRE'We renamed PEXPIRE to a different name and hence the error. Next, try calling the command we just renamed and see how it goes:
127.0.0.1:6379> EN_PEXPIRE alicloud 5000 Your output will look like this:
(integer) 1The second attempt is successful because we were able to rename the command. Exit from the client with the exit command.
Now that you have gone through the four steps required to secure your Redis installation in this tutorial, let's now test to see if Redis is still properly configured. To do this, first, open the Redis command line with the redis-cli command. Assuming that you have a password, use the auth command, so to authenticate your server, and then run a ping command to test the connection. Next, if you see PONG as your output, then you know that everything is ay-okay. So in other words, you have successfully hardened our Redis security.
In this blog, you have made your Redis configuration on your instance much more secure. Of the things you've done, the most important feature is the firewall. This is because it prevents many security backdoors on your Redis application. Keep in mind that this tutorial is only safe for cases where a single server is in use. Go ahead, try something new on your Redis installation.
Don't have an Alibaba Cloud account? Sign up for an account and try over 40 products for free worth up to $1200. Get Started with Alibaba Cloud to learn more.
Setting up and Troubleshooting Your Nginx Server on Alibaba Cloud
ApsaraDB - July 26, 2018
Alibaba Clouder - November 13, 2017
JDP - November 11, 2021
Alibaba Cloud Security - January 16, 2020
ApsaraDB - June 13, 2022
Hiteshjethva - December 11, 2019
Web Hosting Solution
Explore Web Hosting solutions that can power your personal website or empower your online business.
Learn More
ApsaraDB for Redis
A key value database service that offers in-memory caching and high-speed access to applications hosted on the cloud
Learn More
Security Solution
Alibaba Cloud is committed to safeguarding the cloud security for every business.
Learn More
Web Hosting
Explore how our Web Hosting solutions help small and medium sized companies power their websites and online businesses.
Learn MoreMore Posts by Alex
