A murky day
In a certain day, you receive an email from your Virtual Private Server (VPS) Provider to inform you that your VPS has been compromised. It is certain that your VPS public network will be disabled by the provider. Your sites or apps absolutely cannot be accessed. That is such a bad day.
If your VPS has Redis installed and exposed a port to public network, you will sooner or later receive an email like mine above. You must keep in mind that Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket. In general, Redis is not optimized for maximum security but for maximum performance and simplicity. You can read more about Redis on its official website.
How to secure your Redis
I am writing 5 steps that can help your Redis be secure.
Step 1: Securing the server with iptables
In the step you have to setup a firewall on your server. You can go to this tutorial on digital ocean to know what need to do for a firewall setup.
Once your firewall is ready, you can allow any IPs that you trusted can access to the server so that this can connect to Redis.
Step 2: Binding to localhost
By default, Redis is only accessible from localhost. Make sure this line below exists on your redis configuration file.
$ vi /etc/redis/redis.conf
Make sure this line is uncommented (remove the # if it exists)
Step 3: Configuring a Redis password
Edit your redis configuration file again /etc/redis/redis.conf. Generate your secure password and add into the config under the SECURITY section.
Once your password is setup, you will use AUTH command to make the authentication.
Step 4: Renaming dangerous command
The other security feature built into Redis allows you to rename or completely disable certain commands that are considered dangerous.
Like the binding or setting password into config, disabling or renaming was done by editing your Redis config file under the SECURITY section.
Step 5: Setting data directory ownership and file permission
You can easily check the redis folder permission as typing the command below:
$ ls -l /var/lib | grep redis drwxr-xr-x 3 redis redis 4096 Nov 22 03:28 redis
That’s not is the folder’s permissions, which is 755. To ensure that only the Redis user has access to the folder and its contents, change the permission to 700:
$ chmod 700 /var/lib/redis
The other permission you should change is that of the Redis configuration file. By default, it has a file permission of 644 and is owned by root, with secondary ownership by the root group:
$ ls -l /etc/redis/redis.conf -rw-r--r-- 1 root root 30176 Jan 14 2017 /ect/redis/redis.conf
That permission (644) is world-readable, which is not a good idea. We need to change the ownership and permissions:
$ chown redis:root /etc/redis/redis.conf $ chmod 600 /etc/redis/redis.conf
Finally, to get your changes effected, you need to restart your Redis:
$ service redis-server restart
Conclusion
No matter which purposes that you are using Redis, always keep in mind Redis is for trusted clients in a trusted environment only. Check your current Redis and follow the above steps for a better secure server.
Binh Blog 