Redis is a popular in-memory key-value store that can be used as a NoSQL key-value database, message broker as well as a caching solution. It is renowned for its flexibility, scalability, seamless replication, simplicity, and ease of use. Redis is widely used in various fields such as machine learning, real-time analytics, chat, messaging, and gaming leaderboards.
On its own, Redis has no robust features, however, you can still tweak Redis to provide added security and ward off unauthorized users.
In this tutorial, we learn how to install and secure Redis on Rocky Linux 8 or AlmaLinux 8.
Step 1: Install Redis on Rocky Linux or AlmaLinux 8
Redis is available in the AppStream repositories, we can use the DNF package manager to install it.
Run the following DNF command to install Redis:
$ sudo dnf install redisOnce installed, we need to make a slight change to its configuration file to change the way Redis runs. Access the Redis configuration file:
$ sudo vim /etc/redis.confScroll and locate the supervised directive. This allows you to leverage the init system in order to run and effectively manage Redis. By default, this is set to no. Since Rocky / AlmaLinux runs on systemd init system, set the value to systemd as indicated.
And that's it. So, save the changes and exit the text editor. By default, Redis does not start automatically, and therefore, we need to start it as follows.
$ sudo systemctl start redisIn addition, enable the service to start every time when the system is powered on or rebooted.
$ sudo systemctl enable redisTo confirm that Redis is running, execute the command:
$ sudo systemctl status redis
As a test that Redis was successfully installed, send a ping message upon which you will get 'PONG' as a reply.
Step 2: Secure Redis using a password
Security is a high priority for any database system, and Redis is no exception. In this step, we will go a step further and enable authentication to secure Redis and ward off unauthorized parties.
Once again, access the configuration file.
$ sudo vim /etc/redis.confLocate the requirepass directive. This is the directive that we will configure to require clients to authenticate before accessing the database.
Uncomment the directive and specify your own password.
requirepass strong_password
To apply the changes, restart the Redis database.
$ sudo systemctl restart redisTo test if the authentication has been enabled, access the Redis client:
$ redis-cliNow try to set a key to a value:
$ set keystudent MikeThis yields the error indicated. This shows that authentication is required.
(error) NOAUTH Authentication required.
To authenticate, invoke the auth keyword followed by the password. Redis will acknowledge the password and allow you to proceed.
Once authenticated, you can proceed to specify your key-value pairs using the set command. To retrieve the value assigned to the key invoke the command:
get keystudent
To exit Redis, simply type quit and press ENTER.
quitStep 3: Set Proper Data directory ownership and permissions
One other important aspect to consider is the ownership and permissions that you need to keep in mind to ensure your Redis installation is robust. This comprises ensuring that only the user that requires access to Redis has the permission to read its data - and that user, in this case, is the redis user.
You can begin by confirming that the Redis data directory has the right directory ownership and permissions.
$ ls -l /var/lib | grep redis
From the output, we can see that the Redis data directory is owned by Redis user and access granted to Redis group. Additionally, the directory's permissions is set to an octal notation of 750. These are the recommended Redis folder ownership and permissions settings.
If the Redis data directory bears insecure permissions, for instance, if it is readable to global users, you need to ensure that only the Redis user and group have access to the folder and its contents.
To do so, run the command:
$ sudo chmod 750 /var/lib/redisIn addition, ensure that the Redis configuration file is owned by the redis user with the secondary group of root. Also, ensure that it has the Octal permissions of 640 as indicated.
$ ls -l /etc/redis.confThe Octal notation of 640 ensures that only the redis and root user can read the configuration file. This is crucial since we configured an encrypted password in Step 2 using the requirepass directive. This means that any other user apart from Redis and Root users will not be able to read the file and access the password.
To further enhance security, ensure that the configuration file is owned by Redis user and group.
$ sudo chown redis:redis /etc/redis.confAlso, set the permissions of the configuration file such that only the Redis owner can read and write on it.
$ sudo chmod 600 /etc/redis.confTo apply the changes we have just made, restart Redis server.
$ sudo systemctl restart redisStep 4: Configure Redis for remote access
Sometimes, you might require to access your Redis instance remotely from another system. To do this, head over to the configuration file.
$ sudo vim /etc/redis.confLocate the bind directive. By default, this is set to listen to localhost.
bind 127.0.0.1Comment it and specify the remote server's private IP.
bind private_ipIf you are accessing it over the public internet, you can set it to 0.0.0.0 to bind it to public IP addresses.
bind 0.0.0.0Next, change protected-mode yes to protected-mode no
protected-mode noThen restart the Redis server to apply the changes.
$ sudo systemctl restart redisThe other step remaining is to configure the Firewall to allow access to our Redis server.
Step 5: Configuring the firewall for redis
If you have Firewalld active and running, consider setting it to allow port 6379 which is the port that Redis listens on.
$ sudo firewall-cmd --add-port=6379/tcp --permanent$ sudo firewall-cmd --reloadPerfect! Now, to test if we can remotely access the Redis instance remotely, use the -h option followed by the IP address of the Redis server
$ redis-cli -h server_IPIn this case:
$ redis-cli -h 10.128.0.44
Conclusion
And that's it, we have successfully installed and secured Redis on Rocky Linux 8 or AlmaLinux 8. Your feedback on this guide is highly welcome.