Install and Secure Redis Server on Debian 10
Redis also know as "Remote Dictionary Server" is an open-source and in-memory database that can be used as a database, cache and message broker. Redis supports various data structures, such as strings, hashes, lists, sets and many more. Redis is written in C programming language and works in most POSIX systems like Linux, Free BSD and OS X. Redis is and able to run thousands of commands per second. Redis comes with a rich set of features including, Replication, Automatic failover, Lua scripting, LRU eviction of keys, Transactions and many more.
In this tutorial, we will learn how to install and secure Redis on Debian 10 server.
Requirements
- A server running Debian 10.
- A root password is setup to your server.
Getting Started
Before starting, you will need to update your system with the latest version. You can do this by running the following command:
apt-get update -y
apt-get upgrade -y
Once your server is updated, restart your server to apply the changes.
Install Redis
By default, Redis is available in the Debian 10 repository. You can install it by just running the following command:
apt-get install redis-server -y
After installing Redis, start Redis service and enable it to start after system reboot with the following command:
systemctl start redis-server
systemctl enable redis-server
You can also verify the status of the Redis server with the following command:
systemctl status redis-server
You should get the following output:
? redis-server.service - Advanced key-value store Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2019-09-06 05:57:45 EDT; 4s ago Docs: http://redis.io/documentation, man:redis-server(1) Process: 2284 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf (code=exited, status=0/SUCCESS) Main PID: 2285 (redis-server) Tasks: 4 (limit: 1138) Memory: 6.8M CGroup: /system.slice/redis-server.service ??2285 /usr/bin/redis-server 127.0.0.1:6379 Sep 06 05:57:45 debian systemd[1]: Starting Advanced key-value store... Sep 06 05:57:45 debian systemd[1]: redis-server.service: Can't open PID file /run/redis/redis-server.pid (yet?) after start: No such file or di Sep 06 05:57:45 debian systemd[1]: Started Advanced key-value store.
By default, Redis listening on the localhost on port 6379. You can check it with the following command:
ps -ef | grep redis
You should see the following output:
redis 2285 1 0 05:57 ? 00:00:00 /usr/bin/redis-server 127.0.0.1:6379 root 2294 706 0 05:59 pts/0 00:00:00 grep redis
Next, test the Redis connectivity with the following command:
redis-cli
You should see the following output:
127.0.0.1:6379>
Now, check the Redis connectivity with ping command:
127.0.0.1:6379> ping
If everything is fine, you should see the following output:
PONG
Once you have finished. You can proceed to the next step.
Configure Redis as a Cache
You can configure Redis as a Cache by editing the /etc/redis/redis.conf file:
nano /etc/redis/redis.conf
Add the following lines at the end of the file:
maxmemory 64mb maxmemory-policy allkeys-lru
When the max memory of 64mb is reached. Redis will remove any key as per the LRU algorithm. Save and close the file when you are finished. Then, restart the Redis service with the following command:
systemctl restart redis-server
Once you have finished. You can proceed to the next step.
Configure Redis Authentication
By default, you can run any command in Redis shell. So, it is recommended to configure Redis Authentication for clients to require a password before running any commands. You can configure password authentication directly in Redis's configuration file. To do so, open the file /etc/redis/redis.conf with your preferred editor:
nano /etc/redis/redis.conf
Under the SECURITY section find the following line:
# requirepass foobared
Uncomment and replace it with your desired password as shown below:
requirepass AlsW34%#df
Save and close the file when you are finished. Then, restart Redis service to apply the configuration changes:
systemctl restart redis-server
Now, access the Redis shell with the following command:
redis-cli
Now, run the following command without authenticating:
127.0.0.1:6379> INFO server
This will not work because you don't authenticate. You should get the following error:
NOAUTH Authentication required.
Next, run the following command to authenticates with the password specified in the Redis configuration file:
127.0.0.1:6379> AUTH AlsW34%#df
You should get the following output:
OK
Now, run the previous command again:
127.0.0.1:6379> INFO server
This will run successfully and you should see the following output:
# Server redis_version:5.0.3 redis_git_sha1:00000000 redis_git_dirty:0 redis_build_id:afa0decbb6de285f redis_mode:standalone os:Linux 4.19.0-5-amd64 x86_64 arch_bits:64 multiplexing_api:epoll atomicvar_api:atomic-builtin gcc_version:8.3.0 process_id:2308 run_id:2cf0470a9492deddf98bcc72fa9ec94e941edf6c tcp_port:6379 uptime_in_seconds:50 uptime_in_days:0 hz:10 configured_hz:10 lru_clock:7483371 executable:/usr/bin/redis-server config_file:/etc/redis/redis.conf
Once you have finished. You can proceed to the next step.
Rename Specific Commands
For security reason, it is recommended to rename certain commands that are considered dangerous.
Here we will rename "config" command. The config command is used to retrieve Redis password. Let's see with an example:
First, connect and authenticate Redis shell with the following command:
redis-cli
127.0.0.1:6379> AUTH AlsW34%#df
Next, retrieve the Redis password with the following command:
127.0.0.1:6379> config get requirepass
You should get the following output:
1) "requirepass" 2) "AlsW34%#df" 127.0.0.1:6379>
You can rename config command by editing /etc/redis/redis.conf file:
nano /etc/redis/redis.conf
Find the following line:
# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
Uncomment and replace with your desired string:
rename-command CONFIG H2sW_Config
Save and close the file. Then, restart Redis service with the following command:
systemctl restart redis-server
Next, connect and authenticate Redis shell with the following command:
redis-cli
127.0.0.1:6379> AUTH AlsW34%#df
Next, retrieve the Redis password with config command:
127.0.0.1:6379> config get requirepass
We renamed this command so you should get the following error:
(error) ERR unknown command `config`, with args beginning with: `get`, `requirepass`,
Now, run the renamed command as shown below:
127.0.0.1:6379> H2sW_Config get requirepass
You should get the following output:
1) "requirepass" 2) "AlsW34%#df"
Finally, exit from the Redis shell with the following command:
127.0.0.1:6379> exit
Conclusion
Congratulations! you have successfully installed and secured Redis server on Debian 10. I hope you have now enough knowledge to secure your Redis server with password authentication. Feel free to ask me if you have any queries.