Redis is a popular open-source store for data structures. It’s also widely used in the developer community, thanks to an array of useful features, including Lua scripting, LRU eviction, and reliable disk persistence.
While it’s high-performing and useful, you’ll need to take extra manual steps to bring its security up to par.
Below, we’ll go into some vital Redis security info and explore how you can secure your Redis deployment and protect your cloud database from threats.
Redis Security Info You Need to Know
- As the Redis website itself says: “Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually, it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.”
- As noted on the website, “Redis does not try to implement Access Control, but it does provide a small layer of authentication that is optionally turned on by editing the conf file.” (more on this later).
- As the Redis website also notes, “Redis does not support encryption.”
Despite the above facts, in April 2020 Trendmicro reported that it had discovered “8,000 Redis instances that are running unsecured in different parts of the world, even ones deployed in public clouds”. This is of great concern, especially given that Redis instances are known targets of hackers. In 2016, for example, fake ransomware targeted 18,000 unsecured Redis instances on hacked Linux servers. Another report claimed that 75% of Redis servers are infected with malware—probably because they are being exposed to the internet.
Why is it Important to Safeguard Your Redis Deployment?
Redis is now used as a standard in many businesses. Unfortunately, while adoption of the technology is high, attention to security is low. Security is easy to overlook since Redis instances seem low-profile in nature, but any security risk—no matter how small—has the potential to snowball into a serious and costly problem.
For instance, a hacker can use a FLUSHALL command to delete your entire data set. When exposed to the internet (including IoT devices), cybercriminals can also use Redis servers to launch attacks. These include malicious file uploads, SQL injections, and remote code execution, to name a few. Meanwhile, private SSH keys can be used by hackers to access servers and other sensitive information. If your business is subject to a security breach, that not only puts your activities at risk—it could also lead to litigation and fines. With all that said, how then can you protect your Redis installation from hackers?
6 Ways to Secure Your Redis Installation
1. Employ Cloud Service Provider Encryption Features When Possible
To increase data security, it’s imperative that you take advantage of the tools at hand. Cloud Service Provider Amazon provides in-transit and at-rest encryption features for data on clusters in Amazon ElastiCache for Redis. According to the Amazon ElastiCache for Redis User Guide:
In-transit encryption implements the following features:
- Encrypted connections—both the server and client connections are Secure Socket Layer (SSL) encrypted.
- Encrypted replication—data moving between a primary node and replica nodes is encrypted.
- Server authentication—clients can authenticate that they are connecting to the right server.
- Client authentication—using the Redis AUTH feature, the server can authenticate the clients.
At-rest encryption encrypts on-disk data. When enabled on a replication group, it encrypts the following aspects:
- Disk during sync, backup and swap operations
- Backups stored in Amazon S3
ElastiCache for Redis offers default (service managed) encryption at rest, as well as ability to use your own symmetric customer managed customer master keys in AWS Key Management Service (KMS).
A full list of conditions and steps to take to enable encryption are listed in Amazon’s User Guide.
2. Utilize iptables
Setting up a firewall can stop unauthorized access to your Redis service. iptables is a flexible firewall utility built for Linux operating systems. By default, Redis accepts connections via port 6379. To maximize security, you can update iptables to only accept connections from verified IP addresses. Here’s what your code should look like:
iptables -A INPUT -s x.x.x.x -p tcp --dport 6379 -j ACCEPT
(where, x.x.x.x is the authorized ip address)
Redis has low security on its own, so it’s important to set up a firewall. Setting up a proper firewall configuration will prevent any unauthorized incoming traffic.
3. Rename Critical Commands
Some commands are considered dangerous and could be run by mistake or by an unauthorized user. Redis gives you the opportunity to rename and reconfigure commands in the ‘security’ section of the /etc/redis/redis.conf file.
According to digitalocean.com, Redis commands considered dangerous include: FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME, and DEBUG.
If you have other commands that have the potential to be abused, then rename them at your discretion. You can enable or disable commands in the configuration file. Like passwords, your new name should be easy for you to remember, but difficult for others to work out. Below is an example of a renamed CONFIG command.
4. Do Not Expose To or Allow Public Traffic
Redis is really only designed to be accessed by trusted clients. This means it’s not a great idea to expose it to the internet, non-trusted environments, or to an environment where non-trusted clients can access the Redis TCP port or UNIX socket. Untrusted access should pass through a layer implementing ACLs, which can confirm the user’s input and choose how to defend Redis given the available information if required.
5. Combine Passwords with Authentication
Combining passwords with authentication means that if the firewall or other security system fails, there’s an extra layer of security in place to protect the system from external attackers.
To configure a Redis password, head to the config file (/etc/redis/redis.conf). Once there, go to the security section and find a commented directive that reads #requirepass. Uncomment it (remove the hashtag) and edit the word after it to make it into a strong password. Once this is activated, Redis will reject any query from unauthenticated clients.
The Redis password is then stored in the redis.conf file, which means it will automatically be remembered—the systems administrator can make it as long and complex as they want.
It’s worth noting that the password will still be vulnerable to brute force attacks. Therefore, as a form of security, this should always be combined with other authentication methods.
6. Manage User Permissions
It's essential to make sure that only users with the right permissions can access Redis and read the data.
For example, by default, the Redis data directory is owned by the redis user with the redis group having secondary access.
To make it extra secure, ensure that only the redis user has access to the data directory folder and its contents. You can do this by using the chmod command and changing the folder’s permission to 700.
$ sudo chmod 700 /var/lib/redis
How SecureCloudDB Helps Enterprises Secure Their Redis Installations
As with all cloud programs, responsibility is shared when it comes to keeping them secure: the cloud infrastructure is secured by cloud providers, while the data, applications, and OS are secured by the user.
Continually improving your approach to cloud database security should always be a priority. As one of the leading tools for database security, SecureCloudDB can help with this objective.
For AWS public cloud users, ElastiCache for Redis encryption is optional. SecureCloudDB helps database administrators ensure data at rest and in transit is encrypted through it’s Encryption Status Report and security rules that can be run against all of an organization's public cloud databases.
SecureCloudDB’s Encryption Status Report provides an overview of whether ElastiCache data is encrypted as well as what the encryption status is by CMS with KMS.
The Security Rules Inventory provides detail on whether accounts are in violation and if so, which ones and how to fix them. Additional detail such as source code is also available.
SecureCloudDB is compatible with a range of cloud services—including AWS RDS, Elasticsearch, and PostgreSQL—and tests for vulnerabilities with safe, non-invasive methods in addition to providing database activity monitoring and alerting.