Install Secured Redis on Ubuntu Server 14.04, 16.04 LTS

Secure Redis Server

Redis is a secondary database that is useful for session storage as well as performing background jobs like sending emails, user notifications,..etc.

In this blog post you will learn how to install a stable & secured version of redis by the following steps:

1. Install stable version of Redis

To install Redis, first make sure the tcl package is installed.

sudo aptitude install build-essential tcl8.5

1.1 Check for the latest version of Redis and grab it into your /tmp directory.

cd /tmp wget
http://download.redis.io/releases/redis-stable.tar.gz

Now extract it.

tar xzf redis-stable.tar.gz

Then configure it and install it.

1.2 Installing the server

In the same directory you extracted the redis stable version, write in your terminal

cd redis-stable
make
make test
sudo make install

Then configure an instance and add it to your boot sequence

cd utils
sudo ./install_server.sh

Now test your installation:

sudo service redis_6379 start

Check it through its command line interface:

redis-cli

You now have Redis installed and running. The prompt will look like this:

redis 127.0.0.1:6379>

Type in ping, and the prompt should look like this:

redis 127.0.0.1:6379> ping
PONG

To set Redis to automatically start at boot, run:

sudo update-rc.d redis_6379 defaults

2. Secure the installed Redis

2.1 Binding to localhost

By default, Redis server is only accessible from localhost. However, if you followed the tutorial to set up a Redis master server, you updated the configuration file to allow connections from anywhere. This is not as secure as binding to localhost.

Open the Redis configuration file for editing:

sudo vim /etc/redis/6379.conf

Locate this line and make sure it is uncommented (remove the # if it exists):

# bind 127.0.0.1

2.2 Configuring Redis password

Configuring a Redis password enables one of its two built-in security feature – the auth command, which requires clients to authenticate to access the database. The password is configured directly in Redis’s configuration file, /etc/redis/6379.conf, which you should still have open from the previous step.

Scroll to the SECURITY section and look for a commented directive that reads:

# requirepass foobared

Uncomment it by removing the #, and change foobared to a very strong and very long value. Instead of foobared, make a more complex password using one of sha algorithm types like:

$: echo -n "yournormalstring" | openssl sha1
f44f60738a2ecbc060a7fe974371997137ac4e69

Store this key just in case. Then alter your redis conf file to be:

requirepass f44f60738a2ecbc060a7fe974371997137ac4e69

After setting the password, save the file, and restart Redis:

sudo service redis-server restart

To test that the password works, access the Redis command line and try to write ping, you will get this (error) NOAUTH Authentication required. Do not panic, it is normal as in the next example, until you get the OK acknowledgment:

$: redis-cli
redis 127.0.0.1:6379> ping
(error) NOAUTH Authentication required.
redis 127.0.0.1:6379> auth f44f60738a2ecbc060a7fe974371997137ac4e69
OK

N.B. Do not forget to alter your applications to use the new password accordingly.

Enjoy using a secure redis!

Troubleshoot

In case of any misbehaviour, you can remove the password from the conf file and shutdown redis manually, but you need to make the following:

  1. Comment the require password line in the redis conf file.
  2. Go to the redis console
$: redis-cli
redis 127.0.0.1:6379> auth f44f60738a2ecbc060a7fe974371997137ac4e69
OK
redis 127.0.0.1:6379> shutdown
redis 127.0.0.1:6379> quit
  1. start the redis service, and it is now without a password
sudo service redis_6379 start

 

Mohamed Hisham

Ruby on Rails Team Leader Enthusiastic Ruby on Rails FullStack developer, interested in DevOps, a Software Engineer and MSc. graduate of University of Southampton

Leave a Reply

Your email address will not be published. Required fields are marked *