Redis is an in-memory NoSQL, key-value cache and storage, and can also be saved to disk.
This tutorial shows how to implement basic security for the Redis server.
However, please keep in mind that Redis is designed to be used by trusted clients in trusted environments and does not have its own strong security features. To highlight this, you can take a look at the quote from Redis official website:
Redis is designed to be accessed by trusted clients in a trusted environment. This means that the Redis instance is usually not directly exposed to the Internet, or is usually an environment where untrusted clients can directly access the Redis TCP port or UNIX socket. . . . Generally speaking, Redis is not optimized for maximum security, but for maximum performance and simplicity.
Performance and simplicity without security is actually a disaster. Even if Redis has some simple security features, there is nothing to praise. These include: basic unencrypted passwords, and command renaming and disabling. It lacks a real access control system.
However, configuring existing security features is still an important step in maintaining database security.
In this tutorial, you will learn how to configure some of the security features that Redis has, as well as some other system security features, which will improve the security of a standalone Redis installation on Ubuntu 14.04.
Please note that this guide does not cover situations where the Redis server and client applications are located on different hosts or in different data centers. Redis traffic must traverse insecure or untrusted networks. Installation requires a completely different configuration set, such as setting up an SSL proxy or V** between Redis machines, as well as the configuration given here.
In this tutorial, you will need:
First log in to your server using SSH:
ssh username@server-ip-address
To check whether Redis is working properly, use the Redis command line. The redis-cli command is used to access the Redis command line.
redis-cli
If you have set a password for Redis, you must perform auth after connecting.
auth your_redis_password
OK
Test the database server:
ping
response:
PONG
Export:
quit
If you follow the prerequisites for iptables, skip this step. Or, you can finish him now.
Redis is just an application running on your server. Since it does not have its own real security function, the first step to truly protect it is to protect the server it runs on.
For public-facing servers like Ubuntu 14.04 servers, configuring a firewall is the first step. (Enable the firewall on your server. If you are using Tencent Cloud's CVM server, you can directly set it in Security Group in the Tencent Cloud console.)
If you have implemented firewall rules using this guide, there is no need to add additional rules for Redis, because by default, all incoming traffic will be dropped unless explicitly allowed. Since the default standalone installation of the Redis server only listens on the loopback interface (127.0.0.1 or localhost), you should not be concerned about incoming traffic on its default port.
If you need to specifically allow Redis's IP address, you can check the IP address that Redis is listening on and the bound port through the output of the grep command netstat. The fourth column-the 127.0.0.1:6379 column-indicates the IP address and port combination associated with Redis:
sudo netstat -plunt | grep -i redis
tcp 00127.0.0.1:63790.0.0.0:* LISTEN 8562/redis-server 1
Ensure that this IP address is allowed in the firewall policy.
By default, the Redis server can only be accessed from localhost. However, if you follow the tutorial to set up the Redis master server, update the configuration file to allow connections from any location. This is not as secure as binding to localhost.
Open the Redis configuration file for editing:
sudo nano /etc/redis/redis.conf
Find this line and make sure it is uncommented (delete # if it exists):
bind 127.0.0.1
We will continue to use this file, so keep it open for now.
If you install Redis using How to configure Redis cluster on Ubuntu 14.04, you should configure a password for it. You can decide for yourself whether you can set a more secure password according to this section. If not, the instructions in this section will show how to set the database server password.
Configuring the Redis password enables one of its two built-in security features-the auth command, which requires the client to authenticate in order to access the database. The password is directly configured in the Redis configuration file /etc/redis/redis.conf, you should still open the password from the previous step.
Scroll to the SECURITY section and find the comment instruction:
# requirepass foobared
By removing #, uncommenting, and changing foobared to a very powerful and very long value.
You can use tools like apg or pwgen to generate passwords instead of making them yourself. If you don’t want to install the application just to generate a password, you can use the one-line procedure below. To generate a password different from this generated password, change the word in the quotation marks.
echo "digital-ocean"| sha256sum
Your output should be similar to:
960 c3dac4fa81b4204779fd16ad7c954f95942876b9c4fb1a255667a9dbe389d
Although the generated password will not be pronounced, it will provide you with a very strong and very long password, which is exactly the type of password required by Redis. After copying and pasting the output of this command as the new value of requirepass, it should read:
requirepass 960c3dac4fa81b4204779fd16ad7c954f95942876b9c4fb1a255667a9dbe389d
If you prefer a shorter password, use the output of the following command. Again, change the word in the quotes so that it does not generate the same password as this:
echo "digital-ocean"| sha1sum
This time your output will be somewhat shortened:
10 d9a99851a411cdae8c3fa09d7290df192441a9
After setting the password, save the file and restart Redis:
sudo service redis-server restart
To test whether the password is valid, please visit the Redis command line:
redis-cli
The following output shows a series of commands used to test whether the Redis password is valid. The first command attempts to set the key to a value before verification.
set key1 10
This doesn't work, so Redis returns an error.
( error) NOAUTH Authentication required.
The second command uses the password specified in the Redis configuration file for authentication.
auth your_redis_password
Redis confirms.
OK
After that, re-run the previous command will succeed.
set key1 10
OK
get key1 Query Redis to get the value of the new key.
get key1
"10"
The last command exits redis-cli. You can also use exit:
quit
Next, we will introduce the rename Redis command.
Another security feature built into Redis allows you to rename or completely disable certain commands that are considered dangerous.
When run by unauthorized users, such commands can be used to reconfigure, destroy or otherwise erase data. As with the authentication password, the rename or disable command is also configured in the same SECURITY section of the /etc/redis/redis.conf file.
Some known dangerous commands include: FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME and DEBUG. This is not a comprehensive list, but renaming or disabling all commands in this list is a good starting point.
Whether to disable or rename the command is site-specific. If you know you will never use a command that could be abused, then you can disable it. Otherwise, rename it.
To enable or disable Redis commands, open the configuration file again for editing:
sudo nano /etc/redis/redis.conf
**These are examples. You should choose to disable or rename commands that make sense to you. **You can check the commands yourself and determine how to abuse them in redis.io/commands.
To disable or terminate the command, simply rename it to an empty string as follows:
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
To rename the command, give it another name, as shown in the example below. The renamed command should be hard for others to guess, but easy to remember. Don't make your life difficult.
rename-command CONFIG ""
rename-command SHUTDOWN SHUTDOWN_MENOT
rename-command CONFIG ASC12_CONFIG
save Changes.
After renaming the command, apply the changes by restarting Redis:
sudo service redis-server restart
To test the new command, enter the Redis command line:
redis-cli
Then, assuming you renamed the CONFIG command to ASC12_CONFIG, the following output shows how to test whether the new command has been applied.
After verification:
auth your_redis_password
OK
The first attempt to use the config command should fail because it has been renamed.
config get requirepass
( error) ERR unknown command 'config'
The renamed command should be successful (it is not case sensitive):
asc12_config get requirepass
1)" requirepass"2)"your_redis_password"
Finally, you can exit redis-cli:
exit
Note: If you are already using the Redis command line and then restart Redis, you need to re-authenticate. Otherwise, if you type the command, you will get this error:
NOAUTH Authentication required.
Regarding the rename command, there is a warning statement at the end of the SECURITY section of /etc/redis/redis.conf:
Please note that changing the name of commands that are logged into the AOF file or transmitted to slaves may cause problems.
This means that if the renamed command is not in the AOF file, or if it is but the AOF file is not delivered to the slave, there should be no problem.
Therefore, keep this in mind when trying to rename commands. The best time to rename the command is when you are not using AOF persistence, or after installation, that is, before deploying the Redis-using application.
When you use AOF and deal with master-slave installations, please consider this answer from the project's GitHub issues page. The following is the response to the author’s question:
These commands are recorded to AOF and copied to the slave in the same way as they are sent, so if you try to replay AOF on an instance that does not have the same rename, you may face inconsistencies (same as slaves) because the commands cannot be executed.
Therefore, the best way to handle renaming in this situation is to ensure that the renamed command is applied to all instances in the master-slave installation.
In this step, we will consider some ownership and permission changes that you can make to improve the security profile of the Redis installation. This involves ensuring that only users who need access to Redis have the right to read its data. By default, this user is the redis user.
You can find the Redis data directory in the long list of its parent directories to verify this. The command and its output are as follows.
ls -l /var/lib | grep redis
drwxr-xr-x 2 redis redis 4096 Aug 609:32 redis
You can see that the Redis data directory is owned by the redis user, and the redis group is granted auxiliary access permissions. That part is good.
The part that is not the folder permissions is 755. To ensure that only Redis users can access the folder and its contents, change the permissions to 700:
sudo chmod 700/var/lib/redis
The other permissions you should change are the permissions of the Redis configuration file. By default, it has file permissions of 644 and is owned by root, with secondary ownership by the root group:
ls -l /etc/redis/redis.conf
- rw-r--r--1 root root 30176 Jan 142014/etc/redis/redis.conf
This permission (644) is world-readable, which is not a good idea because it contains the unencrypted password configured in step 4.
We need to change ownership and permissions. Ideally, it should be owned by the redis user with secondary ownership by the root user. To do this, run the following command:
sudo chown redis:root /etc/redis/redis.conf
Then change the ownership so that only the owner of the file can read and/or write to it:
sudo chmod 600/etc/redis/redis.conf
You can verify the new ownership and permissions in the following ways:
ls -l /etc/redis/redis.conf
total 40-rw-------1 redis root 29716 Sep 2218:32/etc/redis/redis.conf
Finally, restart Redis:
sudo service redis-server restart
Keep in mind that once someone logs into your server, it is easy to bypass the Redis specific security features we have implemented. Therefore, the most important safety feature is to make jumping over the fence very difficult.
That should be your firewall.
To raise server security to a new level, you can configure an intrusion detection system such as OSSEC.
If you are trying to secure Redis communication through an untrusted network, you must use an SSL proxy, as recommended by the Redis developers in the Official Redis Security Guide. Setting up an SSL proxy to protect Redis communication is a separate topic.
We did not include a complete list of Redis commands in the rename section. However, you can check yourself and determine how to abuse them in redis.io/commands.
For more Ubuntu tutorials, please go to [Tencent Cloud + Community] (https://cloud.tencent.com/developer?from=10680) to learn more.
Reference: "How To Secure Your Redis Installation on Ubuntu 14.04"
Recommended Posts