top of page
Search
Writer's pictureSiddhesh Kadam
3 min read

Securing Redis

Securing any kind of database is one of the top priority tasks when it comes to making sure secure environment. In this blog, we'll understand different kinds of approaches in order to secure Redis. So let's understand them one by one in detail.


  • Secure Redis At Network Layer

By default port of Redis is 6379 (IANA #815344) So you can consider two ways to secure Redis at Network Layer.

  • Accept Redis traffic only from trusted Network Or IPs with the help of iptables or Network Devices.

[root@siddhesh ~]# iptables -A INPUT -s <Source IP> -p tcp --dport 6379 -j ACCEPT

  • Change the default port of Redis from 6379 to any other non-standard port. Although it is not a fully secure way to restrict as you can easily find out random ports of the server using a network sniffer tool from the remote host. 

[root@siddhesh ~]# grep ^port /etc/redis.conf
port 6379
[root@siddhesh ~]#

You can set a custom port in this file and restart Redis service. Make sure newly port should be free on your local server.


  • Secure Redis At the Application Layer

The application layer of Redis offers various kind of methods to secure your Redis even more in a systematic way.


  • Redis protected mode

Protected mode in Redis allows protecting incoming connections only from loopback address i.e 127.0.0.1 / ::1 By default protected mode is enabled. You can verify this using the below methods.

Method 1:

[root@siddhesh ~]# redis-cli config get protected-mode
1) "protected-mode"
2) "yes"
[root@siddhesh ~]#

Method 2 :

[root@siddhesh ~]# grep ^protected-mode /etc/redis.conf 
protected-mode yes
[root@siddhesh ~]#

  • Redis Bind

Redis bind is by default enabled to allow connections from all the network interfaces available on the server and it overwrites to protected mode setting when enabled. Using Redis bind we can bind the network interface of the local server to accept connections only from bind network interface IP.


Get Bind Config :

[root@siddhesh ~]# redis-cli config get bind
1) "bind"
2) ""
[root@siddhesh ~]#

Set Bind Config :

[root@siddhesh ~]# redis-cli config set bind "192.168.1.2"
OK
[root@siddhesh ~]#

Get Bind Config :

[root@siddhesh ~]# redis-cli -h 192.168.1.2 config get bind
1) "bind"
2) "192.168.1.2"
[root@siddhesh ~]#

As we use 192.168.1.2 IP to bind in the example above, we use the -h flag to the local network interface that is mentioned.


  • Redis Authentication

Redis authentication is by default disabled. We can enable this to allow clients to connect Redis server using valid password token. This is necesarry to ensure only authenicated user's are having access to Redis database.

Get Authentication Status:

[root@siddhesh ~]# redis-cli  config get requirepass
1) "requirepass"
2) ""
[root@siddhesh ~]#

As we can see, redis is configured without a password because requirepass is showing an empty value. Set Passowrd For Authentication:

[root@siddhesh ~]# grep ^requirepass /etc/redis.conf 
requirepass pass@123#
[root@siddhesh ~]#

To enable this, add the requirepass parameter, followed by the password to be used, to /etc/redis.conf and restart the redis service. Reverify Authentication Status:

[root@siddhesh ~]# redis-cli -a pass@123# config get requirepass
1) "requirepass"
2) "pass@123#"
[root@siddhesh ~]#

After enabling authentication, each time we connect to Redis for data lookup operations, we must enter a valid password.

Note : There is currently no mechanism in Redis to encrypt this password, so it will always be displayed in plain text in the configuration file hench.


  • Disable Critical Command (Rename & Empty)

A few Redis commands can result in data loss if they are executed without a valid reason. Such as shutdown, config etc.... To prevent any human error, we can rename such commands to any other particular keyword. To do so follow below steps. 1. Edit Redis configuration file using vim 

[root@siddhesh ~]# vim /etc/redis.conf

2. We'll rename command SHUTDOWN to STOPPRODUCTION using rename-command. 

[root@siddhesh ~]# grep SHUTDOWN /etc/redis.conf 
rename-command SHUTDOWN STOPPRODUCTION
[root@siddhesh ~]#

3. Lets test to see if it is really working. 

[root@siddhesh ~]# redis-cli 
127.0.0.1:6379> shutdown
(error) ERR unknown command 'shutdown'
127.0.0.1:6379> STOPPRODUCTION
not connected> 
[root@siddhesh ~]#

The output above shows that after running command shutdown, Redis does not recongnized this command but accpet newly renamed command STOPPRODUCTION. Similarly, we can disable the entire command without specifying a new command name.

[root@siddhesh ~]# grep CONFIG /etc/redis.conf 
rename-command CONFIG ""
[root@siddhesh ~]#

Verify :

[root@siddhesh ~]# redis-cli  config get requirepass
(error) ERR unknown command 'config'
[root@siddhesh ~]#

The output above shows that after running command config, Redis does not recongnized this command.







Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page