With those prerequisites in place, we are ready to install Redis and perform some initial configuration tasks.<\/p>\n
Step 1 \u2014 Installing Redis<\/h2>\n
Before we can install Redis, we must first add Extra Packages for Enterprise Linux (EPEL) repository to the server\u2019s package lists. EPEL is a package repository containing a number of open-source add-on software packages, most of which are maintained by the Fedora Project.<\/p>\n
We can install EPEL using Once the EPEL installation has finished you can install Redis, again using This may take a few minutes to complete. After the installation finishes, start the Redis service:<\/p>\n If you\u2019d like Redis to start on boot, you can enable it with the You can check Redis\u2019s status by running the following:<\/p>\n Once you\u2019ve confirmed that Redis is indeed running, test the setup with this command:<\/p>\n This should print An effective way to safeguard Redis is to secure the server it\u2019s running on. You can do this by ensuring that Redis is bound only to either localhost or to a private IP address and that the server has a firewall up and running.<\/p>\n However, if you chose to set up a Redis cluster using this tutorial<\/a>, then you will have updated the configuration file to allow connections from anywhere, which is not as secure as binding to localhost or a private IP.<\/p>\n To remedy this, open the Redis configuration file for editing:<\/p>\n Locate the line beginning with If you need to bind Redis to another IP address (as in cases where you will be accessing Redis from a separate host) we strongly<\/strong> encourage you to bind it to a private IP address. Binding to a public IP address increases the exposure of your Redis interface to outside parties.<\/p>\n If you\u2019ve followed the prerequisites and installed firewalld on your server and you do not plan to connect to Redis from another host, then you do not need to add any extra firewall rules for Redis. After all, any incoming traffic will be dropped by default unless explicitly allowed by the firewall rules. Since a default standalone installation of Redis server is listening only on the loopback interface ( If, however, you do plan to access Redis from another host, you will need to make some changes to your firewalld configuration using the To begin, add a dedicated Redis zone to your firewalld policy:<\/p>\n Then, specify which port you\u2019d like to have open. Redis uses port Next, specify any private IP addresses which should be allowed to pass through the firewall and access Redis:<\/p>\n After running those commands, reload the firewall to implement the new rules:<\/p>\n Under this configuration, when the firewall sees a packet from your client’s IP address, it will apply the rules in the dedicated Redis zone to that connection. All other connections will be processed by the default If you chose to set up a firewall using Iptables, you will need to grant your secondary hosts access to the port Redis is using with the following commands:<\/p>\n Make sure to save your Iptables firewall rules using the mechanism provided by your distribution.<\/p>\n Keep in mind that using either firewall tool will work. What\u2019s important is that the firewall is up and running so that unknown individuals cannot access your server. In the next step, we will configure Redis to only be accessible with a strong password.<\/p>\n If you installed Redis using the How To Configure a Redis Cluster on CentOS 7 tutorial, you should have configured a password for it. At your discretion, you can make a more secure password now by following this section. If you haven\u2019t set up a password yet, instructions in this section show how to set the database server password.<\/p>\n Configuring a Redis password enables one of its built-in security features \u2014 the Scroll to the Uncomment it by removing the Note that entering this command as written will generate the same password every time. To create a password different from the one that this would generate, change the word in quotes to any other word or phrase.<\/p>\n Though the generated password will not be pronounceable, it is a very strong and very long one, which is exactly the type of password required for Redis. After copying and pasting the output of that command as the new value for If you prefer a shorter password, use the output of the command below instead. Again, change the word in quotes so it will not generate the same password as this one:<\/p>\n After setting the password, save and close the file then restart Redis:<\/p>\n To test that the password works, access the Redis command line:<\/p>\n The following is a sequence of commands used to test whether the Redis password works. The first command tries to set a key to a value before authentication.<\/p>\n 127.0.0.1:6379> set key1 10<\/p>\n That won’t work as we have not yet been authenticated, so Redis returns an error.<\/p>\n The following command authenticates with the password specified in the Redis configuration file.<\/p>\n 127.0.0.1:6379> auth your.redis.password<\/p>\n Redis will acknowledge that we have been authenticated:<\/p>\n After that, running the previous command again should be successful:<\/p>\n 127.0.0.1:6379> set key1 10<\/p>\n The 127.0.0.1:6379>\u00a0 quit<\/p>\n It should now be very difficult for unauthorized users to access your Redis installation. Please note, though, that without SSL or a VPN the unencrypted password will still be visible to outside parties if you\u2019re connecting to Redis remotely.<\/p>\n Next, we’ll look at renaming Redis commands to further protect Redis from malicious actors.<\/p>\n The other security feature built into Redis allows you to rename or completely disable certain commands that are considered dangerous. When run by unauthorized users, such commands can be used to reconfigure, destroy, or otherwise wipe your data. Some of the commands that are known to be dangerous include:<\/p>\n This is not a comprehensive list, but renaming or disabling all of the commands in that list is a good starting point.<\/p>\n Whether you disable or rename a command is site-specific. If you know you will never use a command that can be abused, then you may disable it. Otherwise, you should rename it instead.<\/p>\n Like the authentication password, renaming or disabling commands is configured in the NOTE<\/strong>: These are examples. You should choose to disable or rename the commands that make sense for you. You can check the commands for yourself and determine how they might be misused at redis.io\/commands<\/a>.<\/span><\/p>\n To disable or kill a command, simply rename it to an empty string, as shown below:<\/p>\n To rename a command, give it another name like in the examples below. Renamed commands should be difficult for others to guess, but easy for you to remember:<\/p>\n <\/p>\n Save your changes and close the file, and then apply the change by restarting Redis:<\/p>\n To test the new command, enter the Redis command line:<\/p>\n Authenticate yourself using the password you defined earlier:<\/p>\n 127.0.0.1:6379> auth your_redis_password<\/p>\n Assuming that you renamed the CONFIG<\/strong> command to ASC12_CONFIG<\/strong>, attempting to use the 127.0.0.1:6379> config get requirepass<\/p>\n Calling the renamed command should be successful (it’s case-insensitive):<\/p>\n 127.0.0.1:6379> asc12_config get requirepass<\/p>\n Finally, you can exit from 127.0.0.1:6379> exit<\/p>\n Note that if you’re already using the Redis command line and then restart Redis, you’ll need to re-authenticate. Otherwise, you’ll get this error if you type a command:<\/p>\n Regarding renaming commands, there’s a cautionary statement at the end of the That means if the renamed command is not in the AOF file, or if it is but the AOF file has not been transmitted to slaves, then there should be no problem. Keep that in mind as you’re renaming commands. The best time to rename a command is when you’re not using AOF persistence or right after installation (that is, before your Redis-using application has been deployed).<\/p>\n When you’re using AOF and dealing with a master-slave installation, consider this answer from the project’s GitHub issue page. The following is a reply to the author’s question:<\/p>\n The commands are logged to the AOF and replicated to the slave the same way they are sent, so if you try to replay the AOF on an instance that doesn’t have the same renaming, you may face inconsistencies as the command cannot be executed (same for slaves).<\/p><\/blockquote>\n The best way to handle renaming in cases like that is to make sure that renamed commands are applied to all instances of master-slave installations.<\/p>\n In this step, we’ll consider a couple of ownership and permissions changes you can make to improve the security profile of your Redis installation. This involves making sure that only the user that needs to access Redis has permission to read its data. That user is, by default, the redis<\/strong> user.<\/p>\n You can verify this by You can see that the Redis data directory is owned by the redis<\/strong> user, with secondary access granted to the redis<\/strong> group. This ownership setting is secure, but the folder\u2019s permissions (which are set to 755) are not. To ensure that only the Redis user has access to the folder and its contents, change the permissions setting to 770:<\/p>\n The other permission you should change is that of the Redis configuration file. By default, it has a file permission of 644 and is owned by root<\/strong>, with secondary ownership by the root<\/strong> group:<\/p>\n That permission (644) is world-readable. This presents a security issue as the configuration file contains the unencrypted password you configured in Step 4, meaning we need to change the configuration file\u2019s ownership and permissions. Ideally, it should be owned by the redis<\/strong> user, with secondary ownership by the redis<\/strong> group. To do that, run the following command:<\/p>\n Then change the permissions so that only the owner of the file can read and\/or write to it:<\/p>\n You may verify the new ownership and permissions using:<\/p>\n Finally, restart Redis:<\/p>\n Check the status of redis.service<\/p>\n systemctl status redis.service<\/p>\n Congratulations, your Redis installation should now be more secure!<\/p>\n","protected":false},"excerpt":{"rendered":" Redis is an open-source, in-memory data structure store which excels at caching. A non-relational database, Redis is known for its flexibility, performance, scalability, and wide language support. Redis was designed for use by trusted clients in a trusted environment, and has no robust security features of its own. Redis does, however, have a few security … Continue reading Install REDIS on Centos 7<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":2344,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2343","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/2343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/comments?post=2343"}],"version-history":[{"count":0,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/2343\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media\/2344"}],"wp:attachment":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media?parent=2343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/categories?post=2343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/tags?post=2343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}yum<\/code>:<\/p>\nsudo yum install epel-release<\/code><\/pre>\nyum<\/code>:<\/p>\nsudo yum install redis -y\r\n<\/code><\/pre>\nsudo systemctl start redis.service<\/code><\/pre>\nenable<\/code> command:<\/p>\nsudo systemctl enable redis<\/code><\/pre>\nsudo systemctl status redis.service<\/code><\/pre>\n\u25cf redis.service - Redis persistent key-value database\r\n Loaded: loaded (\/usr\/lib\/systemd\/system\/redis.service; disabled; vendor preset: disabled)\r\n Drop-In: \/etc\/systemd\/system\/redis.service.d\r\n \u2514\u2500limit.conf\r\n Active: active (running) since Thu 2018-03-01 15:50:38 UTC; 7s ago\r\n Main PID: 3962 (redis-server)\r\n CGroup: \/system.slice\/redis.service\r\n \u2514\u25003962 \/usr\/bin\/redis-server 127.0.0.1:6379<\/code><\/pre>\nredis-cli ping<\/code><\/pre>\nPONG<\/code> as the response. If this is the case, it means you now have Redis running on your server and we can begin configuring it to enhance its security.<\/p>\nStep 2 \u2014 Binding Redis and Securing it with a Firewall<\/h2>\n
sudo vi \/etc\/redis.conf<\/code><\/pre>\nbind<\/code> and make sure it\u2019s uncommented:<\/p>\nbind 127.0.0.1\r\n<\/code><\/pre>\nbind your_private_ip<\/span>\r\n<\/code><\/pre>\n127.0.0.1<\/code> or localhost), there should be no concern for incoming traffic on its default port.<\/p>\nfirewall-cmd<\/code> command. Again, you should only allow access to your Redis server from your hosts by using their private IP addresses in order to limit the number of hosts your service is exposed to.<\/p>\nsudo firewall-cmd --permanent --new-zone=redis<\/code><\/pre>\n6397<\/code> by default:<\/p>\nsudo firewall-cmd --permanent --zone=redis --add-port=6379\/tcp<\/code><\/pre>\nsudo firewall-cmd --permanent --zone=redis --add-source=client_server_private_IP<\/span><\/code><\/pre>\nsudo firewall-cmd --reload<\/code><\/pre>\npublic<\/code> zone. The services in the default zone apply to every connection, not just those that don’t match explicitly, so you don’t need to add other services (e.g. SSH) to the Redis zone because those rules will be applied to that connection automatically.<\/p>\n\n
Step 3 \u2014 Configuring a Redis Password<\/h2>\n
auth<\/code> command \u2014 which requires clients to authenticate before being allowed access to the database. Like the bind<\/code> setting, the password is configured directly in Redis’s configuration file, \/etc\/redis.conf<\/code>. Reopen that file:<\/p>\nsudo vi \/etc\/redis.conf<\/code><\/pre>\nSECURITY<\/code> section and look for a commented directive that reads:<\/p>\n# requirepass foobared\r\n<\/code><\/pre>\n#<\/code>, and change foobared<\/code> to a very strong password of your choosing. Rather than make up a password yourself, you may use a tool like apg<\/code> or pwgen<\/code> to generate one. If you don’t want to install an application just to generate a password, though, you may use the command below.<\/p>\necho \"easy-admin<\/span>\" | sha256sum<\/code><\/pre>\nrequirepass<\/code>, it should read:<\/p>\nrequirepass password_copied_from_output<\/span>\r\n<\/code><\/pre>\necho \"easy-admin<\/span>\" | sha1sum<\/code><\/pre>\nsudo systemctl restart redis.service<\/code><\/pre>\nredis-cli<\/code><\/pre>\n(error) NOAUTH Authentication required.<\/code><\/pre>\nOK<\/code><\/pre>\nOK<\/code><\/pre>\nget key1<\/code> command queries Redis for the value of the new key.<\/p>\nStep 4 \u2014 Renaming Dangerous Commands<\/h2>\n
\n
FLUSHDB<\/code><\/li>\nFLUSHALL<\/code><\/li>\nKEYS<\/code><\/li>\nPEXPIRE<\/code><\/li>\nDEL<\/code><\/li>\nCONFIG<\/code><\/li>\nSHUTDOWN<\/code><\/li>\nBGREWRITEAOF<\/code><\/li>\nBGSAVE<\/code><\/li>\nSAVE<\/code><\/li>\nSPOP<\/code><\/li>\nSREM<\/code> RENAME<\/code> DEBUG<\/code><\/li>\n<\/ul>\nSECURITY<\/code> section of the \/etc\/redis.conf<\/code> file. To enable or disable Redis commands, open the configuration file for editing one more time:<\/p>\nsudo vi \/etc\/redis.conf<\/code><\/pre>\n# It is also possible to completely kill a command by renaming it into\r\n# an empty string:\r\n#\r\nrename-command FLUSHDB \"\"<\/span>\r\nrename-command FLUSHALL \"\"<\/span>\r\nrename-command DEBUG \"\"<\/span>\r\n<\/code><\/pre>\nrename-command CONFIG \"\"\r\nrename-command SHUTDOWN SHUTDOWN_MENOT<\/span>\r\nrename-command CONFIG ASC12_CONFIG<\/span>\r\n<\/code><\/pre>\n![\"\"](\"https:\/\/easy-admin.ca\/wp-content\/uploads\/2018\/08\/rename-commands-2.png\")
<\/p>\nsudo systemctl restart redis.service<\/code><\/pre>\nredis-cli<\/code><\/pre>\nOK<\/code><\/pre>\nconfig<\/code> command should fail.<\/p>\n(error) ERR unknown command 'config'<\/code><\/pre>\n1) \"requirepass\"\r\n2) \"your_redis_password\"<\/code><\/pre>\nredis-cli<\/code>:<\/p>\nNOAUTH Authentication required.<\/code><\/pre>\nSECURITY<\/code> section in the \/etc\/redis.conf<\/code> file, which reads:<\/p>\nPlease note that changing the name of commands that are logged into the AOF file or transmitted to slaves may cause problems.<\/code><\/p><\/blockquote>\nStep 5 \u2014 Setting Data Directory Ownership and File Permissions<\/h2>\n
grep<\/code>-ing for the Redis data directory in a long listing of its parent directory. The command and its output are given below.<\/p>\nls -l \/var\/lib | grep redis<\/code><\/pre>\ndrwxr-xr-x<\/span> 2 redis redis<\/span> 4096 Aug 6 09:32 redis<\/code><\/pre>\nsudo chmod 770 \/var\/lib\/redis<\/code><\/pre>\nls -l \/etc\/redis.conf<\/code><\/pre>\n-rw-r--r--<\/span> 1 root root<\/span> 30176 Aug 10 2018 \/etc\/redis.conf<\/code><\/pre>\nsudo chown redis:redis \/etc\/redis.conf<\/code><\/pre>\nsudo chmod 660 \/etc\/redis.conf<\/code><\/pre>\nls -l \/etc\/redis.conf<\/code><\/pre>\ntotal 40\r\n-rw-------<\/span> 1 redis redis<\/span> 29716 Sep 22 18:32 \/etc\/redis.conf<\/code><\/pre>\nsudo systemctl restart redis.service<\/code><\/pre>\n![\"\"](\"https:\/\/easy-admin.ca\/wp-content\/uploads\/2018\/08\/redis-status.png\")
<\/p>\n