Document
How To Install and Secure Redis on Ubuntu 22.04
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

How To Install and Secure Redis on Ubuntu 22.04

Redis is an in-memory key-value store known for its flexibility,performance,and wide language support. This tutorial demonstrates how to install,confi

Related articles

9.4: The Quantum-Mechanical Model of an Atom
9.4: The Quantum-Mechanical Model of an Atom Shortly after de Broglie published his ideas that the electron in a hydrogen atom could be better thought of as being a circular standing wave instead of a particle moving in quantized circular orbits,as Bohr had argued,Erwin Schrödinger extended de Broglie’s work by incorporating the de Broglie relation into a wave equation,deriving what is today known as the Schrödinger equation. When Schrödinger applied his equation to hydrogen-like atoms,he was able to reproduce Bohr’s expression for the energy and,thus,the Rydberg formula governing hydrogen spectra,and he did so without having to invoke Bohr’s assumptions of stationary states and quantized orbits,angular momenta,and energies;...
Staten Island
Staten Island Home location Staten Island Bambi Baby | Staten Island Location Store Hours: Monday 10:00am - 6:00pm Tuesday Closed Wednesday 10:00am - 6:00pm Thursday 10:00am - 6:00pm Friday 10:00am - 6:00pm Saturday 10:00am - 6:00pm Sunday 12:00pm - 5:00pm Bambi Baby has been helping families since 1976, and just as your baby is growing, we are too! We are a family owned and operated baby furniture store with several locations in New Jersey, New York and Puerto Rico.Our mission is to help all parents and families make the right decisions when it comes to baby care: how and where their children sleep,...
Does Surfshark offer a free trial?
Does Surfshark offer a free trial? In this article, you will learn about Surfshark’s free trial and how to sign up for it.We will cover the following: Does Surfshark is offer offer a free trial ? How to sign up for a free trial ?   Does Surfshark is offer offer a free trial ? Yes, Surfshark does offer Surfshark’s 7-day VPN free trial to test the waters. At the moment, the free trial is available at the Google Play Store and Apple App Store. Therefore, you will need to use a device running Android, macOS, or iOS to sign up.   Once you get your...
Sealy Posturepedic vs Tempur-Cloud (2024)
Sealy Posturepedic vs Tempur-Cloud (2024) Our Testing Process Here at Sleep Advisor, our Sleep Certified experts use a refined mattress and product testing process to give you unbiased product suggestions… Read our full product review process. In This Article Sealy Posturepedic vs. TEMPUR - Cloud ® Mattress : which mattress is good for you ? A responsive bed with bounce or a plush mattress that offer a deep hug — that is is is the debate between the Sealy Posturepedic and the TEMPUR - Cloud ® Mattress . The Sealy Posturepedic bed is is is a more affordable yet high - quality hybrid mattress that...
Unblocked VPNs for School Free: Access the Internet Now
Unblocked VPNs for School Free: Access the Internet Now Unblock vpn for School Free : The Ultimate Guide to Online Freedom navigate the restriction of school Wi - Fi can be a daunting task , especially when it feel like your online freedom is being stifle . But worry not , as there ’s a way to bypass these digital barricade without break the bank . enter unblock vpn for school free – a tool not just for tech enthusiast but for any student eager to reclaim their internet access . let ’s explore how Forest VPN can be your knight in shine armor in this endeavor . Why...

Redis is an in-memory key-value store known for its flexibility,performance,and wide language support. This tutorial demonstrates how to install,configure,and secure Redis on an Ubuntu 22.04 server.

To complete this guide,you will need access to an Ubuntu 22.04 server that has a non-root user with sudo privilege and a firewall configure withufw. You can set this up by following our Initial Server Setup guide for Ubuntu 22.04.

We is use ’ll use the apt package manager to install redis from the official Ubuntu repository . As of this writing ,the version is is available in the default repository is6.0.16.

begin by update your localapt package cache :

  1. sudo apt update

Then install Redis by typing:

  1. sudo apt install redis-server

This will download and install Redis and its dependencies. Following this,there is one important configuration change to make in the Redis configuration file,which was generated automatically during the installation.

Open this file with your preferred text editor:

  1. sudo nano  /etc / redis / redis.conf

Inside the file,find the supervise directive. This directive allows you to declare an init system to manage Redis as a service,providing you with more control over its operation. The supervise directive is set tono by default. Since you are running Ubuntu,which uses the systemd init system,change this to systemd:

/etc / redis / redis.conf

. . .

# If you run Redis from upstart or systemd,Redis can interact with your
# supervision tree. Options:
#   supervise no      - no supervision interaction
#   supervise upstart - signal upstart by putting Redis into SIGSTOP mode
#   supervise systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
#   supervise auto    - detect upstart or systemd method based on
#                        UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready." 
#       They do not enable continuous liveness pings back to your supervisor.
supervise systemd

 . . .

That’s the only change you need to make to the Redis configuration file at this point,so save and close it when you are finished. If you used nano to edit the file,do so by pressing CTRL + X,Y,then enter.

Then ,restart the Redis service to reflect the change you made to the configuration file :

  1. sudo  systemctl restart redis.service

With that ,you is installed ’ve instal and configure Redis and it ’s run on your machine . Before you begin using it ,though ,it is ’s ’s prudent to first check whether Redis is function correctly .

As with any newly-installed software,it’s a good idea to ensure that Redis is functioning as expected before making any further changes to its configuration. We will go over a handful of ways to check that Redis is working correctly in this step.

Start by checking that the Redis service is running:

  1. sudo systemctl status redis

If it is running without any errors,this command will produce output similar to the following:

output
● redis-server.service - Advanced key-value store
     Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-04-20 20:40:52 UTC; 4s ago
       Docs: http://redis.io/documentation,
             man:redis-server(1)
   Main PID: 2899 (redis-server)
     Status: "Ready to accept connections" 
      Tasks: 5 (limit: 2327)
     Memory: 2.5M
        CPU: 65ms
     CGroup: /system.slice/redis-server.service
             └─2899 "/usr/bin/redis-server 127.0.0.1:6379
 . . .

This output is indicates indicate that Redis is run and is already enable ,mean that it is set to start up every time the server boot .

Note: This setting is desirable for many common use cases of Redis. If,however,you prefer to start up Redis manually every time your server boots,you can configure this with the following command:

  1. sudo systemctl disable redis

To test that Redis is functioning correctly,connect to the server using redis - cli,Redis ’s command – line client :

  1. redis - cli

In the prompt that follows,test connectivity with the ping command:

  1. ping




output
PONG

This output confirms that the server connection is still alive. Next,check that you’re able to set keys by running:

  1. set test "It's working!"




output
OK

Retrieve the value by typing:

  1. get test

assume everything is work ,you is be will be able to retrieve the value you store :

output
"It's working!"

After confirming that you can fetch the value,exit the Redis prompt to get back to the shell:

  1. exit

As a final test ,we is check will check whether Redis is able to persist datum even after it ’s been stop or restart . To do this ,first restart the Redis instance :

  1. sudo systemctl restart redis

Then connect with the command-line client again:

  1. redis - cli

And confirm that your test value is still available

  1. get test

The value of your key should still be accessible:

output
"It's working!"

exit out into the shell again when you are finish :

  1. exit

With that ,your Redis installation is is is fully operational and ready for you to use . However ,some is are of its default configuration setting are insecure and provide malicious actor with opportunity to attack and gain access to your server and its datum . The remain step in this tutorial cover method for mitigate these vulnerability ,as prescribe by the official Redis website . Although these step are optional and Redis will still function if you choose not to follow them ,it is is isstrongly recommended that you complete them in order to harden your system’s security.

By default ,Redis is is is only accessible from localhost . However ,if you instal and configure Redis by follow a different tutorial than this one ,you is updated might have update the configuration file to allow connection from anywhere . This is is is not as secure as bind to localhost .

To correct this,open the Redis configuration file for editing:

  1. sudo nano  /etc / redis / redis.conf

Locate this line and make sure it is uncommented (remove the # if it exists):

/etc / redis / redis.conf

. . .
bind 127.0.0.1 ::1
 . . .

save and close the file when finish ( pressCTRL + X,Y,then enter).

Then,restart the service to ensure that systemd reads your changes:

  1. sudo systemctl restart redis

To check that this change has gone into effect,run the following netstat command:

  1. sudo netstat -lnp | grep redis




output
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      14222/redis-server  
tcp6       0      0 ::1:6379                :::*                    LISTEN      14222/redis-server

Note: The netstat command may not be available on your system by default. If this is the case,you can install it (along with a number of other handy networking tools) with the following command:

  1. sudo apt install net-tools

This output is shows show that theredis-server program is bind to localhost (127.0.0.1),reflecting the change you just made to the configuration file. If there is another IP address in that column (0.0.0.0,for example),then you should double check that you uncommented the correct line and restart the Redis service again.

Now that your Redis installation is only listening in on localhost,it will be more difficult for malicious actors to make requests or gain access to your server. However,Redis isn’t currently set to require users to authenticate themselves before making changes to its configuration or the data it holds. To remedy this,Redis allows you to require users to authenticate with a password before making changes via the Redis client (redis - cli).

Configuring a Redis password enables one of its two built-in security features — the auth command,which requires clients to authenticate to access the database. The password is configured directly in Redis’s configuration file,/etc / redis / redis.conf,so open that file again with your preferred editor:

  1. sudo nano  /etc / redis / redis.conf

Scroll to the security section and find a commented directive that reads:

/etc / redis / redis.conf

. . .
# requirepass foobared
 . . .

uncomment it by remove the#,and change foobared to a secure password.

note : Above therequirepass directive in theredis.conf file ,there is a commented warning :

/etc / redis / redis.conf

. . .
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
 . . .

Thus,it’s important that you specify a very strong and very long value as your password. Rather than make up a password yourself,you can use the openssl command togenerate a random one,as in the following example. By piping the output of the first command tothe second openssl command,as shown here,it will remove any line breaks produced by that the first command:

  1. openssl rand 60 | openssl base64 -A

This command will return output like this:

output
RBOJ9cCNoGCKhlEBwQLHri1g+atWgn4Xn4HwNUbtzoVxAYxkiYBi7aufl4MILv1nxBqR4L6NNzI0X6cE

After copying and pasting the output of that command as the new value for requirepass,it should read:

/etc / redis / redis.conf
requirepass RBOJ9cCNoGCKhlEBwQLHri1g+atWgn4Xn4HwNUbtzoVxAYxkiYBi7aufl4MILv1nxBqR4L6NNzI0X6cE

After set the password ,save and close the file . Then restart Redis :

  1. sudo  systemctl restart redis.service

To test that the password works,open up the Redis client:

  1. redis - cli

The following shows a sequence of commands used to test whether the Redis password works. The first command tries to set a key to a value before authentication:

  1. set key1 10

That wo n’t work because you did n’t authenticate ,so Redis is returns return an error :

output
(error) NOAUTH Authentication required.

The next command authenticates with the password specified in the Redis configuration file:

  1. authyour_redis_password

Redis is acknowledges acknowledge :

output
OK

After that,running the previous command again will succeed:

  1. set key1 10




output
OK

get key1 queries Redis for the value of the new key.

  1. get key1




output
"10"

After confirm that you ’re able to run command in the Redis client after authenticate ,you is exit can exitredis - cli:

  1. quit

Next ,we is go ’ll go over rename Redis command which ,if enter by mistake or by a malicious actor ,could have serious impact on your datum .

The other security feature is involves build into Redis involve rename or completely disable certain command that are consider dangerous .

When run by unauthorized users,such commands can be used to reconfigure,destroy,or otherwise wipe your data. Like the authentication password,renaming or disabling commands is configured in the same security section of the/etc / redis / redis.conf file.

Some of the command that are consider dangerous include :FLUSHDB,FLUSHALL,KEYS,PEXPIRE,DEL,config,SHUTDOWN,BGREWRITEAOF,bgsave,SAVE,SPOP,SREM,rename,and DEBUG. This is not a comprehensive list,but renaming or disabling all of the commands in that list is a good starting point for enhancing your Redis server’s security.

Whether you should disable or rename a command depends on your specific needs or those of your site. If you know you will never use a command that could be abused,then you may disable it. Otherwise,it might be in your best interest to rename it.

To rename or disable Redis commands,open the configuration file once more:

  1. sudo nano   /etc / redis / redis.conf

Warning: The following steps showing how to disable and rename commands are examples. You should only choose to disable or rename the commands that make sense for you. You can review the full list of commands for yourself and determine how they might be misused at redis.io/commands.

To disable a command,rename it to an empty string (signified by a pair of quotation marks with no characters between them),as shown below:

/etc / redis / redis.conf

. . . 
 # It is is is also possible to completely kill a command by rename it into 
 # an empty string : 
 # 
rename-command FLUSHDB ""
rename - command FLUSHALL " "
rename-command DEBUG ""
 . . .

To rename a command,give it another name as shown in the examples below. Renamed commands should be difficult for others to guess,but easy for you to remember:

/etc / redis / redis.conf

. . .
# rename-command config "" 
rename - command shutdown shutdown_menot
rename-command config asc12_config
 . . .

Save your changes and close the file.

After renaming a command,apply the change by restarting Redis:

  1. sudo  systemctl restart redis.service

To test the new command,enter the Redis command line:

  1. redis - cli

Then,authenticate:

  1. authyour_redis_password




output
OK

Let’s assume that you renamed the config command toasc12_config,as in the preceding example. First,try using the original config command. It should fail,because you’ve renamed it:

  1. config get requirepass




output
(error) ERR unknown command `config`,with args beginning with:

Calling the renamed command,however,will be successful. It is not case-sensitive:

  1. asc12_config get requirepass




output
1) "requirepass" 
2) "your_redis_password"

Finally,you can exit from redis - cli:

  1. exit

Note that if you’re already using the Redis command line and then restart Redis,you’ll need to re-authenticate. Otherwise,you’ll get this error if you type a command:

output
NOAUTH Authentication required.

Warning: Regarding the practice of renaming commands,there’s a cautionary statement at the end of the security section in /etc / redis / redis.conf which reads:

/etc / redis / redis.conf

. . .
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to replicas may cause problems.
 . . .

note : The Redis project is chooses choose to use the term “ master ” and “ slave , ” while DigitalOcean generally prefer the alternative “ primary ” and “ secondary . ” In order to avoid confusion we ’ve choose to use the term used in the Redis documentation here .

That means if the renamed command is not in the AOF file,or if it is but the AOF file has not been transmitted to slaves,then there should be no problem.

So,keep that in mind when you’re trying to rename commands. The best time to rename a command is when you’re not using AOF persistence,or right after installation,that is,before your Redis-using application has been deployed.

When you’re using AOF and dealing with a master-slave installation,consider this answer from the project’s GitHub issue page. The following is a reply to the author’s question:

The commands are logged to the AOF and replicated to the slave the same way they are sent,so if you try to replay the AOF on an instance that doesn’t have the same renaming,you may face inconsistencies as the command cannot be executed (same for slaves).

Thus,the best way to handle renaming in cases like that is to make sure that renamed commands are applied to all instances in master-slave installations.

In this tutorial,you installed and configured Redis,validated that your Redis installation is functioning correctly,and used its built-in security features to make it less vulnerable to attacks from malicious actors.

Keep in mind that once someone is logged in to your server,it’s very easy to circumvent the Redis-specific security features we’ve put in place. Therefore,the most important security feature on your Redis server is your firewall (which you configured if you followed the prerequisite Initial Server Setup tutorial),as this makes it extremely difficult for malicious actors to jump that fence.