In our previous tutorial, we learned how we can install Redis on the Ubuntu server & CentOS/RHEL server. But if we leave the installed Redis service to default state i.e. with default configurations, it might be susceptible to intrusions. So we should know how we can secure the Redis installation to avoid unauthorized access or operations on our Redis server.
There are a number of things we can do to secure the Redis installation. We will now list them down one by one.
Recommended Read: How to setup Redis replication in Linux
Also Read: How to Host Multiple Websites with Nginx in Linux
Secure Redis Installation
1- Create a password to connect to Redis
By default, we are not required to enter any password to connect to the Redis server. But we can create a password in order to connect to Redis instance. All we have to do is to open the Redis configuration file,
$ sudo vim /etc/redis/redis.conf
& then look for the commented section that says “requirepass”, uncomment it & mention a password after that, like
requirepass password@1234
Now save the file & restart the redis service to implement the changes made,
$ sudo systemctl restart redis
Now to connect to redis instance, we first need to run,
$ redis-cli
& then we have to run the following command,
127.0.0.1:6379> auth password@1234
Now we will be able to run the redis commands in the redis-cli.
2- Renaming some dangerous commands
There are certain commands that have extremely devastating results, like FLUSHDB, FLUSHALL, KEYS, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, RENAME, DEBUG, etc. There are many other commands but these can do some serious damage.
So we can do two things here, if we are using a command regularly we can rename it something that will be hard to guess or we can just disable a command completely if it’s not required.
To rename a command, open configuration file,
$ sudo vi /etc/redis/redis.conf
& add the following line,
rename-command FLUSHALL “DELETEALL”
Now restart the redis service to make changes. Now the command ‘FLUSHALL’ command will not work at all & we will be required to use ‘DELETEALL’ to use that.
Now to completely disable a command, open the configuration file & add the following line,
rename-command FLUSHALL “”
Restart the service to apply changes & after that, FLUSHALL command will be completely disabled.
3- Allow connections from localhost only
By default, redis connections from only local systems are allowed. So if you have not allowed connections from remote systems, then you are not needed to make any changes. But if you have allowed remote connections, you can make the following changes to revert that.
Open redis configuration file,
$ sudo vi /etc/redis/redis.conf
& change the section starting with ‘bind’ to,
bind 127.0.0.1
Restart the service to apply changes.
These were some changes we can make to secure the Redis installation. If you have any questions or concerns, you can connect to us using the comment box below.
