How to install and secure Redis on ubuntu 18.04

Introduction

In the previous tutorial, we have discussed with how to install and configure Redis latest version from source and made it fully functional. If you want to check out that tutorial goes to Redis install from Source. In this article, we will discuss how to install Redis from the official ubuntu repositories.

Before We Begin

  • Ubuntu 18.04 server/desktop with root or user with sudo privileges

Step 1 — Installing and Configuring Redis

Here we will use apt package manager to install redis from the official Ubuntu repositories. At the time of writing the version available in the default repositories is 4.0.9

Start by updating the apt packages list by running :

sudo apt update

Then install Redis package by typing:

sudo apt install redis-server

This will download and install Redis and its dependencies (libjemalloc1 ,redis-server ,redis-tools)

After the installation ,Redis service will start automatically. To check the status of the service, enter the following command:

sudo systemctl status redis-server

Output look like :

● redis-server.service – Advanced key-value store
Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2020-07-25 10:37:25 UTC; 6min ago
Docs: http://redis.io/documentation,
man:redis-server(1)
Main PID: 2212 (redis-server)
Tasks: 4 (limit: 1121)
CGroup: /system.slice/redis-server.service
└─2212 /usr/bin/redis-server 127.0.0.1:6379

Here, you can see that Redis is running and is already enabled, meaning that it is set to start up every time the server boots.

If you want to disable redis on boot time, run the command:

sudo systemctl disable redis

By default, the Redis server listens on the loopback interface (127.0.0.1) and it listens on port 6379 for connections

Redis service will fail to start if IPv6 is disabled on your server.

Check Redis version:

To check the redis version installed run :

redis-server -v

Will get output like :

Redis server v=4.0.9 sha=00000000:0 malloc=jemalloc-3.6.0 bits=64 build=9435c3c2 879311f3

To test that Redis is functioning correctly, connect to the server using redis-cli, Redis’s command-line client:

redis-cli

In the prompt that follows, test connectivity with the ping command:

127.0.0.1:6379 ping

Output :

PONG

This confirms that redis is working properly.Exit out from redis prompt to our shell back again by running:

127.0.0.1:6379> exit

Configure Redis Remote Access 

By default, Redis doesn’t allow remote connections. You can connect to the Redis server only from 127.0.0.1 (localhost) – the machine where Redis is running.

Perform the following steps only if you want to connect to your Redis server from remote hosts.

If you are using a single server setup, where the application and Redis are running on the same machine then you should not enable remote access.

To configure Redis to accept remote connections open the Redis configuration file (which was generated automatically during the installation) with your text editor:

sudo nano /etc/redis/redis.conf

Locate the line that begins with bind 127.0.0.1 ::1 and replace 127.0.0.1 with 0.0.0.0 or commentout the bind directive

Bydefault after redis installation the bind directive visible without comment.

Save the file and close the editor.

Restart the Redis service for changes to take effect:

sudo systemctl restart redis-server

Use the following command to verify that redis is listening on all interfaces on port 6379:

ss -an | grep 6379

You should see something like below. 0.0.0.0 means all IPv4 addresses on the machine.

tcp LISTEN 0 128 0.0.0.0:6379 0.0.0.0:*
tcp LISTEN 0 128 [::]:6379 [::]:*

check the below screenshot before & after our configuration changes:

Next, you’ll need to add a firewall rule that enables traffic from your remote machines on TCP port 6379.

Assuming you are using UFW to manage your firewall and you want to allow access from the 192.168.121.0/24 subnet you would run the following command:

sudo ufw allow proto tcp from 192.168.121.0/24 to any port 6379

At this point, Redis server will accept remote connections on TCP port 6379.

Make sure your firewall is configured to accept connections only from trusted IP ranges.

To verify that everything is set up properly, you can try to ping the Redis server from your remote machine using the redis-cli utility:

redis-cli -h <REDIS_IP_ADDRESS> ping

Here for this tutorial I am using aws ec2 ubuntu machine.

ubuntu@ip-172-31-58-24:~$ redis-cli -h 172.31.59.187 ping

I am getting below error:

(error) DENIED Redis is running in protected mode because protected mode is enab led, no bind address was specified, no authentication password is requested to c lients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly acc essible from internet if you do so. Use CONFIG REWRITE to make this change perma nent. 2) Alternatively you can just disable the protected mode by editing the Re dis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, r estart it with the '--protected-mode no' option. 4) Setup a bind address or an a uthentication password. NOTE: You only need to do one of the above things in ord er for the server to start accepting connections from the outside.

To fix this change go to our redis configuration file /etc/redis/redis.conf and change

protected-mode yes

into protected-mode no

save and close the file .

Now try to connect to redis server from remote host again:

redis-cli -h 172.31.59.187 ping

Note this is my aws ec2 ubuntu server internal ip of redis

ubuntu@ip-172-31-58-24:~$ redis-cli -h 172.31.59.187 ping

The command should return a response of PONG:

Output:
PONG

Yes.Now our remote server (ip:172.31.58.24) connected to redis server.

However, it is not the best practice. We must enable password authentication to secure redis server.

Step 4 — Configuring a Redis Password

Configuring a Redis password enables one of its two built-in security features — the auth command, which requires clients to authenticate to access the database. The password is configured directly in Redis’s configuration file, /etc/redis/redis.conf, so open that file again with your preferred editor:

sudo nano /etc/redis/redis.conf

Scroll to the SECURITY section and look for a commented directive that reads:

Uncomment it by removing the #, and change foobared to a secure password.

After setting the password, save and close the file, then restart Redis:

sudo systemctl restart redis.service

To test that the password works, open up the Redis client:

redis-cli

The following shows a sequence of commands used to test whether the Redis password works. The first command tries to set a key to a value before authentication:

127.0.0.1:6379> set key1 10

That won’t work because you didn’t authenticate, so Redis returns an error:

The next command authenticates with the password specified in the Redis configuration file:

127.0.0.1:6379 auth your_redis_password

Redis acknowledges:

Output

OK

After that, running the previous command again will succeed:

get key1 queries Redis for the value of the new key.

After confirming that you’re able to run commands in the Redis client after authenticating, you can exit redis-cli:

If you want to connect redis server with password use the command :

redis-cli -h host -p port_number -a password

redis-cli -h 172.31.59.187 -p 6379 -a redispassword

Now we have connected to redis server remotely with password authentication

Conclusion

In this tutorial, you installed and configured Redis, validated that your Redis installation is functioning correctly, and used its built-in security features to make it less vulnerable .We have also configured redis for remote access with password authentication.

Leave a Reply