How To Install and Secure Redis on Debian 11

In this article, we want to teach you How To Install and Secure Redis on Debian 11.

Redis stands for Remote Dictionary Server. It is an open-source and fast in-memory database and cache under a BSD license, written in C and optimized for speed.

It is often called a data structure server because its core data types are similar to those found in programming languages. Like strings, lists, dictionaries (or hashes), sets, and sorted sets.

Also, it provides many other data structures and features for approximate counting, geolocation, and stream processing.

How To Install and Secure Redis on Debian 11

To install and secure Redis on Debian 11, you need to log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this you can check our article about the Initial server setup with Debian 11.

When you are done with these requirements, you can start to complete this article.

Install Redis on Debian 11

To install Redis on Debian 11, you need to update the local APT package manager with the following command:

sudo apt update

Then, install Redis and its dependencies with the apt package manager:

sudo apt install redis-server

Now you need to make a configuration change in the Redis configuration file.

Open the file with your favorite text editor, here we use vi:

sudo vi /etc/redis/redis.conf

Inside the file, search for the supervised directive. by default it is set to no. you need to change it to the systemd:

. . .
# If you run Redis from upstart or systemd, Redis can interact with your
# supervision tree. Options:
# supervised no - no supervision interaction
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
# supervised auto - detect upstart or systemd method based on
# UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
# They do not enable continuous liveness pings back to your supervisor.
supervised systemd
. . .

Save and close the file, when you are finished.

Then, restart Redis on Debian 11 to apply this change with the following command:

sudo systemctl restart redis

Now check that Redis is active and running on your server with the following command:

sudo systemctl status redis

In your output you should see:

Output
redis-server.service - Advanced key-value store
Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor >
Active: active (running) since Tue 2021-10-19 05:21:42 EDT; 1min 4s ago
Docs: http://redis.io/documentation,
man:redis-server(1)
Main PID: 1743 (redis-server)
Status: "Ready to accept connections"
Tasks: 5 (limit: 2340)
Memory: 7.2M
CPU: 218ms
CGroup: /system.slice/redis-server.service
└─1743 /usr/bin/redis-server 127.0.0.1:6379

Here you can test Redis’s functionality with the following command:

redis-cli ping

In your output you should see:

Output
PONG

It means that you have Redis running on your Debian 11 and you can start to configure Redis to raise its security.

Configure and Secure Redis on Debian 11

An effective way to protect Redis is to secure the server it’s running on. To do this you can be sure that Redis is limited only to localhost or to a private IP address and also that the server has a firewall up and running.

Open the Redis configuration file with your favorite text editor again:

sudo vi /etc/redis/redis.conf

Inside the file, search for the “bind” line and uncomment it by removing the # sign at the beginning of the line:

. . . 
bind 127.0.0.1

Note: If you need to bind Redis to another IP address, it’s strongly recommended that to bind it to a private IP address.

. . .
bind your_private_ip

After you made this change, save and close the file.

Then, restart Redis to apply this change with the following command:

sudo systemctl restart redis

Now run the command below to check that this change has gone into effect:

sudo netstat -lnp | grep redis

In your output you will see something similar to this:

Output
tcp   0   0 127.0.0.1:6379   0.0.0.0:*   LISTEN   1826/redis-server 1

It means that the Redis server program is bound to localhost (127.0.0.1). If you see another IP address that you haven’t set in the Redis configuration file, check the file again and restart the Redis again.

Let’s see how to configure Redis to only be accessible with a strong password.

Configure a Redis password on Debian 11

You can configure a Redis password directly from the Redis configuration file. It will enable one of its two built-in security features, the auth command, which requires clients to authenticate to access the database.

Open the file again with your favorite text editor:

sudo vi /etc/redis/redis.conf

Find the Security section and search for the “requirepass foobared” directive. Uncomment it by removing the # and replacing the foobared phrase with a very strong password of your choosing.

requirepass foobared

When you are done, save and close the file.

To apply this change, restart Redis on Debian 11 with the following command:

sudo systemctl restart redis.service

To test that the password that you have set works correctly, open the Redis client with the following command:

redis-cli

The first command tries to set a key to a value before authentication:

127.0.0.1:6379> set key1 10

At this point, Redis returns an error, because you have not yet authenticated:

127.0.0.1:6379> NOAUTH Authentication required.

Use the following command to authenticate with the password you have set in the Redis configuration file:

127.0.0.1:6379> auth your_redis_password

After entering your Redis password, in your output, you will see OK.

Then run the previous command, it should be working now:

127.0.0.1:6379> set key1 10

In your output, you should see OK.

Now use the get key1 command to query Redis for the value of the new key:

127.0.0.1:6379> get key1
Output
"10"

Exit from the Redis client with the following command:

127.0.0.1:6379> quit

At this point, you can rename Redis commands to protect Redis from malicious actors.

Rename Redis Dangerous commands

For more security, Redis allows you to rename or completely disable certain commands that are considered dangerous. like: FLUSHDB, FLISHALL, KEYS, CONFIG, DEBUG, SHUTDOWN, SAVE, STOP, RENAME, etc.

If you know that you will never use a command that can be abused, you can disable it. Otherwise, you should rename it instead.

To enable or disable Redis commands, open the Redis configuration file and go to the Security section:

sudo vi /etc/redis/redis.conf

Note: These are examples. You should choose to disable or rename the commands that make sense for you. You can learn more about Redis’s commands and determine how they might be misused at redis.io/commands.

here you can disable or kill command by renaming it to an empty string like this:

# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""

You can rename a command by giving it another name like this:

# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command SHUTDOWN SHUTDOWN_ORCA
rename-command CONFIG ORCA_CONFIG

When you are finished, save and close the file.

To apply the changes, restart Redis on Debian 11 with the following command:

sudo systemctl restart redis.service

Now you can open the Redis client to test your new commands:

redis-cli

Then, authenticate yourself with the password that you have set:

127.0.0.1:6379> auth your_redis_password

We assumed that you rename the config command to orca_config. If you use config you will get an error:

127.0.0.1:6379> config get requirepass
Output
(error) ERR unknown command `config`

Now use the renamed command instead:

127.0.0.1:6379> orca_config get requirepass

In your output you will see:

Output
1) "requirepass"
2) "your_redis_password"

Now you can exit from the Redis client with the following command:

127.0.0.1:6379> exit

Warning: at the end of the Security section in the /etc/redis/redis.conf file, there is a warning statement which is:

. . .
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to slaves may cause problems.
. . .

This means if the renamed command is not in the AOF file, or if it is but the AOF file has not been transmitted to replicas, then there should be no problem. The best time to rename the command is when you’re not using AOF persistence or right after installation.

Conclusion

At this point, you learn How To Install and Secure Redis on Debian 11. Remember that when someone is logged into your server, it’s very easy to find a way around the Redis security features that you have been put in place. because of that, the most important security feature on your Redis server is the firewall that you have been set in the requirements part with the initial server setup.

Hope you enjoy it.

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!