Share your love
Install and Configure Redis on Rocky Linux 8
In this guide from the Orcacore website, we intend to teach you How To Install and Configure Redis on Rocky Linux 8. Redis is a fast in-memory database and cache, open source under a BSD license, written in C, and optimized for speed. Redis’ name comes from “REmote DIctionary Server”.
It is often called a data structure server because its core data types are similar to those found in programming languages like strings, lists, dictionaries (or hashes), sets, and sorted sets. It also provides many other data structures and features for approximate counting, geolocation, and stream processing.
Table of Contents
Steps To Install and Configure Redis on Rocky Linux 8
To complete this article, you need to log in to your server as a non-root user with sudo privileges and a basic setup for the firewall. To do this, you can check the Initial server setup with Rocky Linux 8.
Now follow the steps below to complete this guide.
1. Install Redis Server on Rocky Linux 8
First, you need to update your local package index with the following command:
sudo dnf update -yThen, use the DNF Package Manager to install the EPEL repository and Redis:
# sudo dnf install epel-release -y
# sudo dnf install redis -yWhen your installation is completed, proceed to the next step to start and enable your Redis server.
2. Manage Redis Server on Rocky Linux 8
At this point, you need to make some configuration changes in the Redis configuration file. Open the file with your favorite text editor. Here we use the vi editor:
sudo vi /etc/redis.confInside the file, search for the supervised directive. This directive allows you to declare an init system to manage Redis as a service, providing you with more control over its operation.
By default, it is set to no; you have to change it to systemd:
When you are finished, save and close the file.
Here, you need to start the Redis service on Rocky Linux 8 with the following command:
sudo systemctl start redis.serviceIf you want Redis to start at boot, enable it with the following command:
sudo systemctl enable redisTo check that Redis is active and running, you can use the following command:
sudo systemctl status redisIn your output, you should see:
Now you can test Redis’s functionality with the following command:
redis-cli pingIn your output, you should see:
Output
PONGIt means that you have a Redis server running on your Rocky Linux 8 and you can start to configure it to raise its security.
3. Secure Redis Server on Rocky Linux
An effective way to protect Redis is to secure the server it’s running on. To do this, you can be sure that Redis is limited only to localhost or to a private IP address, and also that the server has a firewall up and running.
Open the Redis configuration file with your favorite text editor again:
sudo vi /etc/redis.confInside the file, search for the “bind” line:
. . .
bind 127.0.0.1Note: If you need to bind Redis to another IP address, it’s strongly recommended to bind it to a private IP address.
. . .
bind your_private_ipAfter you have made this change, save and close the file.
We assumed that you have installed and enabled Firewalld in the requirements part.
You should only allow access to your Redis server from your hosts by using their private IP addresses in order to limit the number of hosts your service is exposed to.
First, you need to add a dedicated Redis zone to your firewalld policy with the following command:
sudo firewall-cmd --permanent --new-zone=redisRedis uses port 6379 by default. You need to open it through the firewall with the following command:
sudo firewall-cmd --permanent --zone=redis --add-port=6379/tcpThen, specify any private IP addresses that should be allowed to pass through the firewall and access Redis with the command below:
sudo firewall-cmd --permanent --zone=redis --add-source=client_server_private_IPTo apply these changes, reload the firewall with the following command:
sudo firewall-cmd --reloadNote: The services in the default zone apply to every connection, not just those that don’t match explicitly, so you don’t need to add other services (e.g., SSH) to the Redis zone because those rules will be applied to that connection automatically.
Let’s see how to configure Redis to only be accessible with a strong password.
4. Set up a Strong Password For the Redis Server
You can configure a Redis Password directly in the Redis configuration file. Open the file again with the following command:
sudo vi /etc/redis.confFind the Security section and search for the “requirepass foobared” directive. Uncomment it by removing the # and replacing the foobared phrase with a very strong password of your choosing.
requirepass your-strong-passwordWhen you are finished, save and close the file.
Then, restart Redis to apply these changes with the following command:
sudo systemctl restart redisTo test that the password that you have set works correctly, open the Redis client on Rocky Linux 8 with the following command:
redis-cliThe first command tries to set a key to a value before authentication:
127.0.0.1:6379> set key1 10At this point, Redis returns an error because you have not yet authenticated:
127.0.0.1:6379> NOAUTH Authentication required.Use the following command to authenticate with the password you have set in the Redis configuration file:
127.0.0.1:6379> auth your_redis_passwordAfter entering your Redis password, in your output, you will see OK.
Then run the previous command, it should be working now:
127.0.0.1:6379> set key1 10In your output, you should see OK.
Now use the get key1 command to query Redis for the value of the new key:
127.0.0.1:6379> get key1Output
"10"Exit from the Redis client with the following command:
127.0.0.1:6379> quitNote: At this point, it should be very difficult for unauthorized users to access your Redis installation. Remember that if you are using the Redis client and then restart Redis, you’ll need to re-authenticate. Also, please note that without SSL or a VPN, the unencrypted password will still be visible to outside parties if you’re connecting to Redis remotely.
Additionally, you can rename Redis commands to protect Redis from malicious actors.
5. Rename Redis Dangerous Commands
For more security, Redis allows you to rename or completely disable certain commands that are considered dangerous. like: FLUSHDB, FLISHALL, KEYS, CONFIG, DEBUG, SHUTDOWN, SAVE, STOP, RENAME, etc.
If you know that you will never use a command that can be abused, you can disable it. Otherwise, you should rename it instead.
To enable or disable Redis commands, open the Redis configuration file and go to the Security section:
sudo vi /etc/redis.confNote: These are examples. You should choose to disable or rename the commands that make sense for you. You can learn more about Redis’s commands and determine how they might be misused at redis.io/commands.
Here you can disable or kill a command by renaming it to an empty string like this:
You can rename a command by giving it another name, like this:
When you are finished, save and close the file.
To apply the changes, restart Redis on Rocky Linux 8 with the following command:
sudo systemctl restart redis.serviceNow you can open the Redis client to test your new commands:
redis-cliThen, authenticate yourself with the password that you have set:
127.0.0.1:6379> auth your_redis_passwordWe assumed that you would rename the config command to orca_config. If you use config, you will get an error:
127.0.0.1:6379> config get requirepassOutput
(error) ERR unknown command `config`Now use the renamed command instead:
127.0.0.1:6379> orca_config get requirepassIn your output, you will see:
Output
1) "requirepass"
2) "your_redis_password"Now you can exit from the Redis client with the following command:
127.0.0.1:6379> exitWarning: at the end of the Security section in the /etc/redis.conf file, there is a warning statement which is:
This means if the renamed command is not in the AOF file, or if it is but the AOF file has not been transmitted to replicas, then there should be no problem. The best time to rename the command is when you’re not using AOF persistence or right after installation.
6. Set Correct Ownership and Permissions For Redis Server
In this step, you need to set ownership and make some permission changes to improve the security profile of your Redis installation on Rocky Linux 8. With this, you will be sure that only the Redis user has permission to read its data.
Run the following command to see the Redis data directory ownership and its permissions:
ls -l /var/lib | grep redisOutput
drwxr-x--- 2 redis redis 4096 Sep 12 04:31 redisAs you can see, the Redis data directory is owned by the Redis user, with secondary access granted to the Redis group.
If your Redis directory has insecure permissions, you can use the following command to change the file permissions settings:
sudo chmod 770 /var/lib/redisThen, you need to change the Redis configuration file permissions. By default, it is owned by the root and has secondary ownership by the root group.
ls -l /etc/redis.confOutput
-rw-r----- 1 redis root 62243 Sep 12 04:31 /etc/redis.confIt means that the Redis configuration file is readable only by the Redis user and the root group. you should set the file to readable by the Redis user and the Redis group. To do this, run the following command:
sudo chown redis:redis /etc/redis.confNow you need to change the permissions so that only the owner of the file can read and write to it:
sudo chmod 600 /etc/redis.confVerify the new changes with the following command:
ls -l /var/lib | grep redisOutput
drwxrwx--- 2 redis redis 4096 Sep 12 04:31 redisls -l /etc/redis.confOutput
-rw------- 1 redis redis 62243 Sep 12 04:31 /etc/redis.confThen, restart Redis to apply these changes:
sudo systemctl restart redisFinally, your Redis installation on Rocky Linux 8 has been secured.
Conclusion
At this point, you learn to install and configure Redis Server on Rocky Linux 8. By installing Redis with dnf, starting and enabling the Redis service, and adjusting the configuration file as needed, you can set up a reliable in-memory data store for your applications.
Hope you enjoy it. Please subscribe to us on Facebook, X, and YouTube.
You may also like these articles:
