How to Install and Secure Redis on Centos 


Today a lot of businessmen are using the cloud server for their business and the reason behind it is that they can easily handle and manage their business. And today using a cloud server has emerged as a hot trend in all business sector and using cloud server offers many advantages on your hosting platform. So today one of the biggest advantages of using cloud server hosting is that you can easily access to your files and data at any time at any place with the help of internet. Today if your business needs to have guarantees that your data is always accessible,  and if you want your system to stay online then using a cloud server for your business is the right solution. One of the biggest advantages that you get from using cloud server is that you have the pay as you go option with better flexible scalability, high availability.


And today if you are using a cloud server for your website and if you are looking for information on how to install and Secure Redis on Centos then here is the complete solution on it. So what is Redis? Redis is an open-source, n-memory data structure store which excels at caching. And using Redis is known for its scalability, flexibility, support and better performance. And Redis was designed for use by trusted clients, as a result, it has no robust security features of its own. But you no need to worry about it as some best in class security features of its own like basic unencrypted password and command renaming and disabling.


Here is the information on how to install and Secure Redis on Centos cloud server:


---->>> First you need to install Redis, but before that, you need to add Extra Packages for Enterprise Linux (EPEL) repository to your server list. So only then you can install EPEL using yum.


$     sudo yum install epel-release


>> Once after installing the EPEL now you can install Redis using yum


Once the EPEL installation has finished you can install Redis, again using yum:


$    sudo yum install redis -y


>> Now you need to start the Redis service by using the below command


$    sudo systemctl start redis.service


>> And now if you want to redis to start on boot then you need to enable it with the below command.


$    sudo systemctl enable redis


>> Now here you can check redis status by running the below command


$   sudo systemctl status redis.service


Output


● redis.service - Redis persistent key-value database

  Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled; vendor preset: disabled)

 Drop-In: /etc/systemd/system/redis.service.d

          └─limit.conf

  Active: active (running) since Sun 2017-10-04 18:30:24 UTC; 7s ago

Main PID: 3962 (redis-server)

  CGroup: /system.slice/redis.service

          └─3962 /usr/bin/redis-server 130.10.4.2:6379


>> Once after you confirmed that Redis is indeed running, now you need to test the setup with the belwo command.


$     redis-cli ping


----->>> Once you are done with the installation process now you need to bind Redis and have to secure with a firewall. So to change this you need to open the Redis configuration file and there you need to edit.


$   sudo vi /etc/redis.conf


>>> Now you need to locate the line beginning with bind and make sure it’s uncommented:


                          /etc/redis.conf

bind 130.10.4.2


>> Now in case if you want to bind Redis to another IP address the we encourage you to bind it wit your private IP adress.


                         /etc/redis.conf

bind your_private_ip


>>  So now to begin, add a dedicated Redis zone to your firewalld policy:


$    sudo firewall-cmd --permanent --new-zone=redis


>> Now in here you need to specify in which port you'd like to  open. But usually Redis uses port 6397 by default


$    sudo firewall-cmd --permanent --zone=redis --add-port=6379/tcp


>> In the next step you need to specify any private IP addresses which should be allowed to pass through the firewall and access Redis


$    sudo firewall-cmd --permanent --zone=redis --add-source=client_server_private_IP


>> Once after running thoe command you need to reload the firewall to implement the new rules.


$   sudo firewall-cmd --reload


>> Now in here if you have chosen to set up a firewall using iptable then you need to have a grant your secondary host's access


$    sudo iptables -A INPUT -i lo -j ACCEPT

$    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$   sudo iptables -A INPUT -p tcp -s client_servers_private_IP/32 --dport 6397 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

$    sudo iptables -P INPUT DROP


---->>>  Now in here you need to configure a Redis password and to configure the Redis password you need to enable one of its built in security features where it will help you to authenticate before being allowed access to the database


$   sudo vi /etc/redis.conf


>> Now in here you need to go to SECURITYsection and look for a commented directive that reads


                              /etc/redis.conf


# requirepass foobared


>> Now you need to create a password


$    echo "hostingraja" | josh104ua


>> After copying and pasting the output of that command as the new value for require pass, it should read:


                                  /etc/redis.conf

requirepass password_copied_from_output


>> But if you want to go with shorter password you can even set it use the below command


$    echo "hostingraja" | josh1994ua


>>  Now you need to save the password and need to close the file and restart the Redis


$    sudo systemctl restart redis.service


>> Now to test whether the password is working or not and you can access the Redis use the below command


$   redis-cli


>> Use the below command to test whether the Redis passwords works or not.


130.10.4.2:6397>    set key1 10


>> And that password will not work as you not yet been authenticated and you will see the below error.


Output

(error) NOAUTH Authentication required.


>> Now use the below command to authenticates  with the password in the Redis configuration file.


130.10.4.2:6397>   auth your_redis_password


>> Now in here Redis will acknowledge that you have been authenticated


                       Output

OK


>> After that, running the previous command again should be successful


130.10.4.2:6397>   set key1 10

     Output

OK


>> Now in here you need to use the get key1 command on your Redis to value the new keys


130.10.4.2:6397>    get key1

     Output

"10"


>>, At last, you need to exit from redis-cli.


130.10.4.2:6397>    quit


---->>  Now you need to rename the dangerous commands. So here are some of the commands that are known to be dangerous include:


FLUSHDB

FLUSHALL

KEYS

PEXPIRE

DEL

CONFIG

SHUTDOWN

BGREWRITEAOF

BGSAVE

SAVE

SPOP

SREM RENAME DEBUG


>>  Now if you want to enable or disable Redis commands, open the configuration file for editing one more time


$    sudo vi  /etc/redis.conf


>> So now if you want to disable or kill a command, all you need to do is just rename it to an empty string,


                      /etc/redis.conf


# It is also possible to completely kill a command by renaming it into

# an empty string:

#

rename-command FLUSHDB ""

rename-command FLUSHALL ""

rename-command DEBUG ""


>> Now to rename the command  give it another name


                          /etc/redis.conf


rename-command CONFIG ""

rename-command SHUTDOWN SHUTDOWN_MENOT

rename-command CONFIG ASC12_CONFIG


>>  Now once the rename is done you need to save the changes and close the file


$    sudo service redis-server restart


>> So now to test the new command, enter the Redis command line


$    redis-cli


>> Now in here you need to authenticate yourself using the password


auth your_redis_password


                       Output

OK


>> Assuming that you renamed the CONFIG command to ASC12_CONFIG, attempting to use the config command should fail.


130.10.4.2:6397>    config get requirepass


          Output

(error) ERR unknown command 'config'


>> Now the rename command should be successful


130.10.4.2:6397>    asc12_config get requirepass


        Output

1) "requirepass"

2) "your_redis_password"


>> Now you can exit from redis-cli


130.10.4.2:6397>     exit


>> Now, at last, you need to set data directory ownership and file permissions. And you can verify this by grep-ing for the Redis data directory in a long listing of its parent directory.


$    ls -l /var/lib | grep redis


                Output

drwxr-xr-x 2 redis   redis 4096 Aug 6 09:32 redis


>> Now if you want to ensure that only the Redis user has access to the folder then change the permissions setting to 770


$     sudo chmod 770 /var/lib/redis


>> Not only that you also need to change other permission on the Redis configuration file


$     ls -l /etc/redis.conf


                 Output

-rw-r--r-- 1 root root 30176 Jan 14  2014 /etc/redis.conf


>> Once the permission is changed there will be no ecurity issue as the configuration file contains the unencrypted password


$   sudo chown redis:redis /etc/redis.conf


>> Now if you want you can change  the permissions so that only the owner of the file can read and/or write to it use the below command


$   sudo chmod 660 /etc/redis.conf


>> Now you can verify the new owner and its permissions


$ ls -l /etc/redis.conf


    Output

total 40

-rw------- 1 redis redis 29716 Ded 24 24:59 /etc/redis.conf


>> Now you need restart Redis


$  sudo service redis-server restart