Easy guide for Securing Redis Server

Like any other application or server, Redis installations might also be susceptible to unauthorized access or intrusions, if we have not secured it properly. In this tutorial, we will focus on securing Redis server to avoid any unauthorized access or intrusions.

Redis is an open source, in-memory data structure store or a key-value store that can be used as a cache for application, as a database server or even as a message broker. In our previous tutorials, we have already discussed the installation & also setting up a master-slave like architecture for the Redis server.

Recommended Read: SysAdmin’s guide to REDIS CLI Commands

Also Read: How to install CouchDB (& GUI manager) on CentOS & Ubuntu

So let's start this tutorial on securing Redis server,

1-  Securing redis server installation with a password

This should be like the first thing you should do with your redis installation. To assign a password, open your configuration file,

Note:- This is the configuration file path for my installation, yours can be ‘/etc/redis/redis.conf’ or if you have a custom installation like mine, then go to that location.

# vim /usr/local/redis/6379.conf

And look for the parameter ‘requirepass’, we need to uncomment it & then assign a password,

requirepass  test@9879

Once the changes have been made, restart the redis service to implement the changes made. Now to connect to redis-cli, you will have to enter the password. First, connect to redis-cli,

# redis-cli

Now provide the password,

127.0.0.1:6379> auth test#9897

That’s it. You will now be connected to redis-cli.

2- Securing redis server access to localhost only

So if you have not tinkered with your redis conf, this might be already done for you. Basically, by default, redis server is & should only accessible from the localhost. But if you have allowed access from other servers or public access, then you are in serious danger of breach. 

To avoid that, open your redis configuration file,

# vim /usr/local/redis/6379.conf

Once you have opened the file, look for ‘bind’ parameter & change it to,

bind 127.0.0.1 ::1

Now save the file & exit. Now restart the redis service to implement the changes made.

3- Securing Redis server by renaming dangerous commands

Using this method, we can avoid any serious repercussions even if someone gains access to our redis server. Redis provides us a way to rename some of the dangerous commands like LUSHDB, FLUSHALL, KEYS, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, RENAME, and DEBUG. There are other commands as well that can be renamed but these are some of the dangerous ones. We can also disable any of these commands altogether if we don't have use for them in our application. 

So disabling a command is a similar process to renaming a command, for renaming, we will provide an alternate name for the command but for disabling it we will rename it to empty name or string.

To rename a command, open the configuration file,

# vim /usr/local/redis/6379.conf

Now under the ‘Security’ section, we can rename or disable a command. To disable a command, use the following example as reference,

rename-command FLUSHALL ""

For renaming a command, use the following example as reference,

rename-command FLUSHALL DELETEITALL

Here, we have renamed FLUSHALL command to DELETEITALL (Delete It All). Once changes have been made, save the file & restart the redis service to implement the changes. Now login to redis-cli & check the renamed commands.

So this was our guide on securing redis server. Please feel free to send in any questions, queries using the comment box below.