Securing the Redis server
Hello gud ppl! This article will focus on securing the redis server. I hope you might have heard about redis. For those who haven’t its a key value, in memory database. The popularity of redis comes from the fact that its designed to be used as store as well as cache. In simple words its designed for those system where data write and read is very rapid. Besides these redis also has clustering feature making itself scalable and fit for high traffic application. All of these features has attracted developers all around the world to play with redis in their application. With the increase in redis use there has been numerous reports of successful attacks in these system keeping data and integrity of these system in vulnerable position.
Before we begin …
Before we begin I would like to point out few things
- Redis does not encrypt your data.
- It is always assumed that your redis server is accessed by only the trusted group of users.
Saying so we can clearly say configuring redis need attention.
Redis has authentication layer which can be configured from the redis.conf file. By default this layer is inactive. Remember that redis is designed to used by only trusted users so you may not need to add authentication in every case. For e.g. Lets say you redis server is in the private network with other computers all accessing redis in the same network only then you may skip the authentication process. A solid use case of this is when your redis server is in VPC with other EC2 instances in the same VPC. However you should use authentication if your redis server is exposed to the internet.
The redis 3.2.0 comes with protected mode. The feature of protected mode is that it binds the redis to only loopback address. Hence other address cannot access the redis instance.
Change CONFIG command
The next import aspect of redis security is changing the redis CONFIG command. I think this part is mandatory in all redis setup. The config command helps to make changes to the redis server when it is running without altering the redis.conf file. If the user group of redis has the root permission then the attacker can even inject cron files as well as add keys for ssh authentication in your server. Details on this can be found here. Sometimes config command can be tricky as its not recorded my the MONITOR command. If you don’t know the MONITOR command, its a command to view all the commands being executed in redis. The monitor command does not show CONFIG command for security reasons, so if you server is subjected to attack by exploiting the CONFIG command then you may find your self in trouble finding the root cause of the problem. The best way to avoid it is by changing the CONFIG command to something random string i.e changing the CONFIG statement word to some thing random like EE##$$5ttC. This will decrease the chance of attacker abusing the CONFIG command as its been changes to something random. You can do that by the following command
rename-command CONFIG EE##$$5ttC
Or you may also change CONFIG command by adding the same command to the end of redis.conf file.
After implementing these features your redis server will be much secure. I have avoided one topic and that is NoSql injection. Redis has feature to execute Lua scripts via EVAL and EVALSHA command its very unlikely you allow to untrusted source to insert these scripts, I am not willing to go much further on this topic.