‍

Redis, an in-memory data structure store, is renowned for its flexibility, performance, and scalability. It serves as an open-source, key-value database that is widely used for caching and session management. Although designed for use by trusted clients in a trusted environment, it lacks robust security features. However, it does offer a few security features such as password authentication and the ability to rename or disable commands. To further enhance the security of Redis, we will delve into how to install and secure Redis on Rocky Linux 8

.

Prerequisites

Before proceeding with the installation and security configurations of Redis, it is essential to have a server running Rocky Linux 8. This server should have a non-root user with administrative privileges, along with a firewall configured using firewalld. Setting this up can be done by following an initial server setup guide for Rocky Linux 8.

Step 1: Installing and Starting Redis

You can install Redis using the DNF package manager, which also installs Redis dependencies and a user-friendly text editor called nano. Once installed, one key configuration needs to be made in the Redis configuration file. This involves changing the supervised directive from no to systemd, given that Rocky Linux uses the systemd init system. After making this change, you can start the Redis service and enable it to start on boot.sudo systemctl start redis.service
sudo systemctl enable redis

To check the status of Redis, run the following command:sudo systemctl status redis

To verify that Redis is functional, you can use the redis-cli ping command. If Redis responds with PONG, it means Redis is running as expected on your server.

Step 2: Configuring Redis and Securing it with a Firewall

A crucial step in enhancing Redis security is to secure the server it operates on. This can be achieved by binding Redis only to localhost or a private IP address and ensuring that a firewall is active. You can add a dedicated Redis zone to your firewalld policy and specify the port and private IP addresses allowed to access Redis. After configuring these, remember to reload the firewall to implement the new rules.

Step 3: Configuring a Redis Password

Enabling a Redis password activates one of its built-in security features — the auth command. This requires clients to authenticate before accessing the database. You can set up a strong password in the Redis configuration file, under the requirepass directive. For stronger security, consider using a password generated by a tool like apg or pwgen. echo “digital-ocean” | sha256sum

Once the password is set, restart Redis and test the password using the Redis client. Remember, if you restart Redis while using the Redis command line client, you’ll need to re-authenticate.

Step 4: Renaming Dangerous Commands

Redis allows renaming or disabling certain commands that could potentially be misused to destroy or wipe your data. By disabling or renaming risky commands like FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME, and DEBUG, you can further bolster your data store’s security.

All the changes related to renaming or disabling commands can be made in the Redis configuration file, under the rename-command

directive.rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command SHUTDOWN SHUTDOWN_MENOT
rename-command CONFIG ASC12_CONFIG

Post these changes, restart Redis and test your commands using the Redis client.

Step 5: Setting Data Directory Ownership and File Permissions

Enhancing the security profile of your Redis installation may also require changing ownership and permissions. Ensure that only the redis user, who needs to access Redis, has permission to read its data. Also, the Redis configuration file, which contains the unencrypted password, should be owned by the redis user and group. The file permissions should be set such that only the owner can read and write to

it.sudo chmod 770 /var/lib/redis
sudo chown redis:redis /etc/redis.conf
sudo chmod 600 /etc/redis.conf

After making these changes, restart Redis to reflect the modifications.

Conclusion

Securing Redis extends beyond its built-in security features. A strong firewall is paramount to prevent unauthorized users from accessing your server. For secure Redis communication across untrusted networks, consider using an SSL proxy or VPN.

To host your secured Redis on a robust platform, consider using Shape.host. They offer efficient, scalable, and secure cloud hosting solutions with Linux VPS SSD, ensuring your Redis operates in a safe and optimized environment.