How to secure your Redis

A murky day

In a certain day, you receive an email from your Virtual Private Server (VPS) Provider to inform you that your VPS has been compromised. It is certain that your VPS public network will be disabled by the provider. Your sites or apps absolutely cannot be accessed. That is such a bad day.

If your VPS has Redis installed and exposed a port to public network, you will sooner or later receive an email like mine above. You must keep in mind that Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket. In general, Redis is not optimized for maximum security but for maximum performance and simplicity. You can read more about Redis on its official website.

How to secure your Redis

I am writing 5 steps that can help your Redis be secure.

Step 1: Securing the server with iptables

In the step you have to setup a firewall on your server. You can go to this tutorial on digital ocean to know what need to do for a firewall setup.

Once your firewall is ready, you can allow any IPs that you trusted can access to the server so that this can connect to Redis.

Step 2: Binding to localhost

By default, Redis is only accessible from localhost. Make sure this line below exists on your redis configuration file.

$ vi /etc/redis/redis.conf

Make sure this line is uncommented (remove the # if it exists)

Step 3: Configuring a Redis password

Edit your redis configuration file again /etc/redis/redis.conf. Generate your secure password and add into the config under the SECURITY section.

Once your password is setup, you will use AUTH command to make the authentication.

Step 4: Renaming dangerous command

The other security feature built into Redis allows you to rename or completely disable certain commands that are considered dangerous.

Like the binding or setting password into config, disabling or renaming was done by editing your Redis config file under the SECURITY section.

Step 5: Setting data directory ownership and file permission

You can easily check the redis folder permission as typing the command below:

$ ls -l /var/lib | grep redis
drwxr-xr-x 3 redis    redis      4096 Nov 22 03:28 redis

That’s not is the folder’s permissions, which is 755. To ensure that only the Redis user has access to the folder and its contents, change the permission to 700:

$ chmod 700 /var/lib/redis

The other permission you should change is that of the Redis configuration file. By default, it has a file permission of 644 and is owned by root, with secondary ownership by the root group:

$ ls -l /etc/redis/redis.conf
-rw-r--r-- 1 root root 30176 Jan 14 2017 /ect/redis/redis.conf

That permission (644) is world-readable, which is not a good idea. We need to change the ownership and permissions:

$ chown redis:root /etc/redis/redis.conf
$ chmod 600 /etc/redis/redis.conf

Finally, to get your changes effected, you need to restart your Redis:

$ service redis-server restart

Conclusion

No matter which purposes that you are using Redis, always keep in mind Redis is for trusted clients in a trusted environment only. Check your current Redis and follow the above steps for a better secure server.

Last Saturday

“It is Friday”, I messaged to one of my best friend on Slack and also not forget to send him a funny Friday gif from Giphy. These days were very hot, you even get sweaty a lot when just going out at 8AM. Unlocking my phone, surfing new feeds on Facebook, I spontaneously remembered that tomorrow would be a very busy day of mine. In hurry, I set up the alarm at 5:15AM Saturday. “What a weekend!”, I let out a long sigh of depression.

I drove very fast to the center and had a quick parking. Getting out by small door in the end of the parking place, I saw my teacher waiting for me in his car. He is always sooner than me for any cases. It was 6:05 now, Saturday morning. We are going to the Training Court in Cu Chi. It would be a big sunny day certainly because the sky was very clear and inside the car I felt the heat surrounding me in that very early morning.

Time flied so fast, it was around 3 months from the first day of training for a B2 driving license. That Saturday was my full lesson review day for the examination on the week later. I had practiced every Saturday for 4 continuous weeks in District 2 for every parts of the final test. They are a driving on the straight road, a parking on the side road between 2 other cars (called parallel parking) and parking into U shape cage (called reverse parking) lesson. My teacher was very patient on me, he taught by his heart to transfer me the formula, rules and his special techniques as well on the most understandable way. One thing that he made me very impressive is while I was doing my practice he had a local woman cook for the lunch and he paid all for the meal. Without a doubt that he is not only a passionate teacher but also a true friend. The day seemed to be less hot than it would be in a particular way.

In my opinion, the attitude plays a very important role on studying the new things. For a driving license that is not an exception definitely. The better attitude that you have on study the better output respectively. I find myself have a very good attitude on this course. I did not miss any driving law classes and got most of practice days on time. I had a very great teacher. Moreover I have been learning by myself many driving techniques through the press, youtube and social media . I strongly believe that I will graduate the course very successfully. Yay!

This bird is very friendly at the training court

Bird’s response at driving training court

2 family meeting

It is an early morning day of Lunar August 2016 when the moon got its full size. In the village, children insist their parents for candles and cakes to celebrate their little party at night. “It is adorable” I thought silently. My mom was sweeping the fallen leaves in the yard then gave the house a quick clean. I was flying into the thinking of many things happily and nervously. “Binh, how did you prepare the dress?”, my grandma said out loud from the sub-house suddenly. I woke up and said back “I have a short sleeve shirt and a new pair of dress pants”. “This shirt is not formal at all, borrow the white long sleeve one from uncle Diem, stuck in then go”, said her. “Wait, let me iron it first”, my mom’s voice from the yard right after her words.

Dressed on with a little perfume, had on hairs a bit gels, I found myself pretty enough. “Bring the mooncakes from the room”, said mom. “Yes” I responded. This is two literally but the more meaningful thing than the number was “couple”. “From now and later on, ah…wedding candles, wine, and any kind of gifts must be in couple. Done? Go quickly, don’t waste time, 2 hours to get there, be faster”, said my grandma.

Me, mom, uncle Diem and his wife, 4 peoples were on 2 motorbikes head to her house. It is about 60 kilometers with a ferry. I felt the air is very comfortable, the river is more peaceful than everyday…but actually deep inside of me I can’t hide my anxiety. “She is waiting for me”, thought me.

Her family welcomed us more warmly than ever. “Today, I have aunt 3 help me on cooking, she is very glad to hear you visit us”, her mother said happily. There is a well-prepared table with tea and cookies. “Take a seat everyone”, said someone. They together sat on very lightly. In the meanwhile I went into the kitchen to help bring dishes onto the table. There was a lot of dish and drinks, all are well-cooked and well-decorated. We would have the party here. Occasionally I looked towards the table. They had a very long talk quietly and formally.

The meeting that I had been participated is more formal than I think. My mom told in worry that “She abruptly stopped her smiling, her eyes became less happy than ever when I gave her the card. Please can tell me why it was not wrapped into a red envelope? – asked her”. “I think this is written into very tough card with pink background, I think it is formal enough. Is it alright?”. “It is okay, no problem, I just wondered that because this is not like the one in my district”. This is a letter of engagement and wedding date. In the tradition of South Vietnamese, we have a pre-wedding meeting called “Đám dạm ngõ” to inform that two families will prepare for the engagement and wedding celebration as the date that given in the letter. And the couples also have official dating later on.

Anyway, the meeting ended very successfully. Kids was playing out there with candles and cakes. “The moon is brighter and more attractive than ever tonight”, I looked very passionately. That was such a very long night…

Google Apps domain API return “Client is unauthorized to retrieve access tokens using this method”

The code that you wrote to calling to google API worked perfectly before but one day it suddenly return the error like below:

{  "error": "unauthorized_client",  "error_description": "Client is unauthorized to retrieve access tokens using this method." }

This is because you might miss the authorization scopes in the Google Service Account that you are using for your application.

This issue would be fixed by doing the following instructions. These steps must be performed by an administrator of the Google Apps domain:

1. Go to your Google Apps domain’s Admin console.
2. Select Security from the list of controls. If you don’t see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can’t see the controls, make sure you’re signed in as an administrator for the domain.
3. Select Advanced settings from the list of options.
4. Select Manage third party OAuth Client access in the Authentication section.
5. In the Client name field enter the service account’s Client ID.
6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
   The scopes are coma-delimited.
7. Click Authorize.

When you are done, you should see the Authorized API Clients