Grid Guides

Explore How System On Grid Can Work For You

How to Install and Secure Redis on Ubuntu 18.04


Table of Contents

Introduction

In this guide, we will explain to you how to install, configure and secure Redis on Ubuntu 18.04.

Redis is an acronym for Remote Dictionary Service. It is an in-memory data structure project known for its performance, flexibility, and broad language support. It is used as a database, cache and message broker.

Prerequisites

You should have access to an Ubuntu 18.04 server. Create a non-root user with sudo privileges by following our guide, Initial server setup with Ubuntu 18.04.

Install and Configure Redis

To install the latest version of Redis from Ubuntu repositories and update it, use apt command.

$ sudo apt update
$ sudo apt install redis-server

Along with the Redis installation, a Redis configuration would be downloaded. You need to make a few changes in the configuration file.

Open the Redis configuration file using the below command.

$ sudo vi /etc/redis/redis.conf

Within the file, find the supervised directive. The supervised directive allows you to allocate an init system to manage Redis services so that you can have more control over its operations. By default, the directive is set to ‘no’ and you need to set it to systemd.


# If you run Redis from upstart or systemd, Redis can interact with your
# supervision tree. Options:
#   supervised no      - no supervision interaction
#   supervised upstart - signal upstart by putting Redis into SIGSTOP mode
#   supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
#   supervised auto    - detect upstart or systemd method based on
#                        UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
#       They do not enable continuous liveness pings back to your supervisor.
supervised systemd

. . .

Save and close the file.

Now, restart the Redis services to apply the changes that you have made.

$ sudo systemctl restart redis.service

Test Redis

After installing Redis, it’s time to test the Redis service if it is working well or not. In this guide, we have given a few methods to test the redis changes.

First, check the status of the Redis service with the below command.

$ sudo systemctl status redis

Output:

You can check the Redis service using the command-line client.

$ redis-cli

You will be directed to the Redis prompt. Now, check the connectivity using the ping command.

127.0.0.1:6379> ping

Output:

It means your server connection is still active. Now, check if you can set keys using the below command.

127.0.0.1:6379> set test "It's working!"

Output:

Redeem the value using the command:

127.0.0.1:6379> get test

You will redeem the following output if everything is working correctly.

After ensuring that you are redeeming the value, exit the Redis prompt to go back to the shell.

127.0.0.1:6379> exit

Now, check if Redis can hold data even after restarting it. Use the below command to restart the Redis service.

$ sudo systemctl restart redis

Now, again check the Redis service using the command-line client.

$ redis-cli

You will be directed to Redis prompt and redeem the value using the command:

127.0.0.1:6379> get test

You will redeem the following output if everything is working correctly.

After ensuring that you are redeeming the value, exit the Redis prompt to go back to the shell.

127.0.0.1:6379> exit

Bind to Localhost

Now, you need to make sure that Redis service is accessible only from localhost and blocking all connections from other sources. To do so, open the Redis configuration file using the below command.

$ sudo nano /etc/redis/redis.conf

Within the file, find the below line and uncomment it (if it’s not).

bind 127.0.0.1 ::1

Then, save and close the file.

Restart the Redis service to apply the changes.

$ sudo systemctl restart redis

Run the below command to check if the changes are applied or not.

$ sudo netstat -lnp | grep redis

Output:

If you don’t get the above output, you need to check if you have uncommented the correct line within the Redis configuration file.

If you get the above output, it means your Redis server is listening only to the localhost and the changes are applied to the Redis configuration file correctly. So, It will be almost impossible for hackers to gain access to your server. But, you haven’t set Redis to require users to verify their authentication before making changes to its configuration or data.

Configure Redis Password

Redis has a security feature called auth command, which allows users to verify their authentication to access the database. Configure Redis password enables this auth command. To do so, open Redis configuration file, /etc/redis/redis.conf.

$ sudo nano /etc/redis/redis.conf

Scroll down to the SECURITY section and find look for the below line.

# requirepass foobared

Uncomment it by removing ‘#’ and replace foobared with a highly secured password. Then save and close the file.

Now, restart the Redis service using the below command.

$ sudo systemctl restart redis.service

Access the Redis command line to check if the password works or not.

$ redis-cli

You will be directed to Redis prompt and before authentication, you need to set a key to a value.

127.0.0.1:6379> set key1 10

You will get an error as you didn’t authenticate.

Now, authenticate with your password using the below command.

127.0.0.1:6379> auth your_redis_password

Output:

Now, run the previous to check if you get the correct output.

127.0.0.1:6379> set key1 10

Output:

Now, check if you get the value of the new key.

127.0.0.1:6379> get key1

Output:

Then, exit the Redis prompt with the below command.

127.0.0.1:6379> exit

Rename Dangerous Commands

To enhance your Redis server’s security, you need to disable or rename specific commands that are considered dangerous. Some of the dangerous commands are FLUSHDB, FLUSHALL, DEBUG, BGSAVE, SAVE, SPOP, RENAME, SREM, SHUTDOWN, CONFIG etc. Disabling or renaming the commands entirely depends on your specific needs. To do so, open the Redis configuration file.

$ sudo vi  /etc/redis/redis.conf

Scroll down to the security section within the file.

To disable any specific command, rename it to an empty string as shown below.

. . . It is also possible to completely kill a command by renaming it into an empty string:

rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
. . .

To rename any specific command, give it another name, which you can easily remember, as shown below.

# rename-command CONFIG ""
rename-command SHUTDOWN SHUTDOWN_SOG
rename-command CONFIG SOG_CONFIG
. . .

Then, save and close the file.

Now, restart Redis service to apply the changes that you have made.

$ sudo systemctl restart redis.service

Run the Redis command line to test the new command.

$ redis-cli

You will be directed to Redis prompt and authenticate with your password.

127.0.0.1:6379> auth your_redis_password

Output:

Now, run the below command with the original name, CONFIG. You should get an error as you renamed it to SOG_CONFIG.

127.0.0.1:6379> config get requirepass

Output:

Now, run the above command with the new name, SOG_CONFIG.

127.0.0.1:6379> sog_config get requirepass

Output:

Then, exit the Redis prompt with the below command.

127.0.0.1:6379> exit

Conclusion

You have successfully installed and configured Redis on Ubuntu 18.04, verified if the Redis service is working correctly and modified some dangerous commands in Redis configuration file to make it less vulnerable from hackers.