Install and Secure Redis Server on Debian 10

Redis also know as “Remote Dictionary Server” is an open-source and in-memory database that can be used as a database, cache and message broker. Redis supports various data structures, such as strings, hashes, lists, sets and many more. Redis is written in C programming language and works in most POSIX systems like Linux, Free BSD and OS X. Redis is and able to run thousands of commands per second. Redis comes with a rich set of features including, Replication, Automatic failover, Lua scripting, LRU eviction of keys, Transactions and many more.

In this tutorial, we will learn how to install and secure Redis on Debian 10 server.

Requirements

  • A server running Debian 10.
  • A root password is setup to your server.

Getting Started

Before starting, you will need to update your system with the latest version. You can do this by running the following command:

apt-get update -y
apt-get upgrade -y

Once your server is updated, restart your server to apply the changes.

Install Redis

By default, Redis is available in the Debian 10 repository. You can install it by just running the following command:

apt-get install redis-server -y

After installing Redis, start Redis service and enable it to start after system reboot with the following command:

systemctl start redis-server
systemctl enable redis-server

You can also verify the status of the Redis server with the following command:

systemctl status redis-server

You should get the following output:

? redis-server.service - Advanced key-value store
   Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-09-06 05:57:45 EDT; 4s ago
     Docs: http://redis.io/documentation,
           man:redis-server(1)
  Process: 2284 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=0/SUCCESS)
 Main PID: 2285 (redis-server)
    Tasks: 4 (limit: 1138)
   Memory: 6.8M
   CGroup: /system.slice/redis-server.service
           ??2285 /usr/bin/redis-server 127.0.0.1:6379

Sep 06 05:57:45 debian systemd[1]: Starting Advanced key-value store...
Sep 06 05:57:45 debian systemd[1]: redis-server.service: Can't open PID file /run/redis/redis-server.pid (yet?) after start: No such file or di
Sep 06 05:57:45 debian systemd[1]: Started Advanced key-value store.

By default, Redis listening on the localhost on port 6379. You can check it with the following command:

ps -ef | grep redis

You should see the following output:

redis     2285     1  0 05:57 ?        00:00:00 /usr/bin/redis-server 127.0.0.1:6379
root      2294   706  0 05:59 pts/0    00:00:00 grep redis

Next, test the Redis connectivity with the following command:

redis-cli

You should see the following output:

127.0.0.1:6379> 

Now, check the Redis connectivity with ping command:

127.0.0.1:6379> ping

If everything is fine, you should see the following output:

PONG

Once you have finished. You can proceed to the next step.

Configure Redis as a Cache

You can configure Redis as a Cache by editing the /etc/redis/redis.conf file:

nano /etc/redis/redis.conf

Add the following lines at the end of the file:

maxmemory 64mb
maxmemory-policy allkeys-lru

When the max memory of 64mb is reached. Redis will remove any key as per the LRU algorithm. Save and close the file when you are finished. Then, restart the Redis service with the following command:

systemctl restart redis-server

Once you have finished. You can proceed to the next step.

Configure Redis Authentication

By default, you can run any command in Redis shell. So, it is recommended to configure Redis Authentication for clients to require a password before running any commands. You can configure password authentication directly in Redis’s configuration file. To do so, open the file /etc/redis/redis.conf with your preferred editor:

nano /etc/redis/redis.conf

Under the SECURITY section find the following line:

# requirepass foobared

Uncomment and replace it with your desired password as shown below:

requirepass AlsW34%#df

Save and close the file when you are finished. Then, restart Redis service to apply the configuration changes:

systemctl restart redis-server

Now, access the Redis shell with the following command:

redis-cli

Now, run the following command without authenticating:

127.0.0.1:6379> INFO server

This will not work because you don’t authenticate. You should get the following error:

NOAUTH Authentication required.

Next, run the following command to authenticates with the password specified in the Redis configuration file:

127.0.0.1:6379> AUTH AlsW34%#df

You should get the following output:

OK

Now, run the previous command again:

127.0.0.1:6379> INFO server

This will run successfully and you should see the following output:

# Server
redis_version:5.0.3
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:afa0decbb6de285f
redis_mode:standalone
os:Linux 4.19.0-5-amd64 x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:8.3.0
process_id:2308
run_id:2cf0470a9492deddf98bcc72fa9ec94e941edf6c
tcp_port:6379
uptime_in_seconds:50
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:7483371
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

Once you have finished. You can proceed to the next step.

Rename Specific Commands

For security reason, it is recommended to rename certain commands that are considered dangerous.

Here we will rename “config” command. The config command is used to retrieve Redis password. Let’s see with an example:

First, connect and authenticate Redis shell with the following command:

redis-cli
127.0.0.1:6379> AUTH AlsW34%#df

Next, retrieve the Redis password with the following command:

127.0.0.1:6379> config get requirepass

You should get the following output:

1) "requirepass"
2) "AlsW34%#df"
127.0.0.1:6379> 

You can rename config command by editing /etc/redis/redis.conf file:

nano /etc/redis/redis.conf

Find the following line:

# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52

Uncomment and replace with your desired string:

rename-command CONFIG H2sW_Config        

Save and close the file. Then, restart Redis service with the following command:

systemctl restart redis-server

Next, connect and authenticate Redis shell with the following command:

redis-cli
127.0.0.1:6379> AUTH AlsW34%#df

Next, retrieve the Redis password with config command:

127.0.0.1:6379> config get requirepass

We renamed this command so you should get the following error:

(error) ERR unknown command `config`, with args beginning with: `get`, `requirepass`, 

Now, run the renamed command as shown below:

127.0.0.1:6379> H2sW_Config get requirepass

You should get the following output:

1) "requirepass"
2) "AlsW34%#df"

Finally, exit from the Redis shell with the following command:

127.0.0.1:6379> exit

Conclusion

Congratulations! you have successfully installed and secured Redis server on Debian 10. I hope you have now enough knowledge to secure your Redis server with password authentication. Feel free to ask me if you have any queries.

Brought to you by Web Designer
Kuala Lumpur

Leave a Reply

Your email address will not be published. Required fields are marked *

*