For Debian-based systems, run the following commands:
user@localhost: ~ sudo apt update
Optional:
user@localhost: ~ sudo apt upgrade
user@localhost: ~ sudo apt install redis-server
For RedHat-based systems, you can connect a remi repository, and run the following commands:
user@localhost: ~ sudo yum install epel-release yum-utils
user@localhost: ~ sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
user@localhost: ~ sudo yum-config-manager --enable remi
user@localhost: ~ sudo yum install redis
user@localhost: ~ sudo systemctl start redis
user@localhost: ~ sudo systemctl enable redis
Check
netstat -plant | grep -i redis
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1035/redis-server 1
If all goes well, Redis is listening on port 6379.
Security setting
Run redis-server only on localhost
In some Linux distributions, redis accepts requests on all interfaces after installation, which is not allowed for security reasons because redis access is not password protected by default.
Therefore, check the file /etc/redis/redis.conf contains the following line
bind 127.0.0.1
If it is not, enter it there.
Next, if prescribed, then restart Redis:
user@localhost: ~ sudo systemctl restart redis-server
– Put a password to access redis-server:
by default, anyone can connect to redis without a password, for example:
redis-cli info | grep redis_versio
Therefore, create a password of 32 characters:
user@localhost: ~ openssl rand -base64 32
get in the console something type Iouwokmsduhxvqj9fvz1tex9+VX0B1OG9r7sjAeuJY=
And in /etc/redis/redis.conf write on:
requirepass Iouwokmsduhxvqj9fvz1tex9+VX0B1OG9r7sjAeuJY=
Next, if prescribed, then restart Redis:
user@localhost: ~ sudo systemctl restart redis-server
Now when you try to do:
user@localhost: ~ redis-cli info | grep redis_version
if everything is configured correctly, anonymous access is denied and we will not see any information
Connect need now so
redis-cli
127.0.0.1:6379> info
NOAUTH Authentication required.
127.0.0.1:6379> AUTH IoUwOKmsDuHXvqj9FVVz1TEx9+VX0B1OG9r7sjAeuJY=
OK
127.0.0.1:6379> info
# Server
redis_version:2.8.17
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:4c1d5710660b9479
redis_mode:standalone
os:Linux 3.16.0-4-amd64 x86_64
....
127.0.0.1:6379> quit
ATTENTION! By running redis-cli and entering commands in it, including AUTH with a password, the history of these commands is saved in the ~/file.rediscli_history. If an attacker gains access to it, they will be able to learn the password.
Certainly./~ rediscli_history is only available to the current user, such as root, and no one else will read it, but it’s better to know. The password is also stored in the /etc/redis/redis file.conf and by default this file is read by all users of the server, which is completely wrong and we will fix it further.
– Rename and disable important commands
Here’s a dangerous command Redis FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME and DEBUG
To do this, use the /etc/redis/redis file.conf write on:
- rename-command FLUSHDB “”
- rename-command FLUSHALL “”
- rename-command DEBUG “”
- rename-command SHUTDOWN SHUTDOWN_SECRETCMD
- rename-command CONFIG CONFIG_SECRETCMD
Next, if prescribed, then restart Redis:
user@localhost: ~ sudo systemctl restart redis-server
– Change the rights to the directory with the database and configuration file
Look at the default rights to the directory with the database:
ls -ld /var/lib/redis
drwxr-xr-x 2 redis redis 4096 Sep 9 10:14 redis
Change
chmod 700 /var/lib/redis
Look right in the default configuration file
ls -l /etc/redis/redis.conf
-rw-r--r-- 1 root root 33004 Sep 9 10:15 /etc/redis/redis.conf
Change
chown redis:root /etc/redis/redis.conf
chmod 600 /etc/redis/redis.conf
Next, if all done, then restart Redis:
user@localhost: ~ sudo systemctl restart redis-server
This completes the basic redis setup
Leave A Comment?