Securing your Redis installation

Last updated: November 8th 2022

Securing your Redis installation on Webdock stacks

You may want to secure your Redis installation further on Webdock stacks as we just install Redis, We make sure it uses systemd and is bound to localhost (so remote connections are not possible) and don't set any further configuration than that.

Setting a password for Redis

Configuring a Redis password enables the auth command, which requires clients to authenticate to access the database. The password is configured directly in Redis's configuration file. First you should generate a (very) strong password for Redis:

$ openssl rand 60 | openssl base64 -A; echo "";
yE0Yledx1G2CIBQpTcPJAkf7QYf4HKDDzb5lz5UeZ9KKH8V9Eb0SHfIH4FkBAxjB0+M6dXdh/7CzxOHi

Now open /etc/redis/redis.conf:

$ sudo nano /etc/redis/redis.conf

And look for the commented out requirepass directive

# requirepass foobared

Uncomment it and add your password you just generated so it looks like

requirepass yE0Yledx1G2CIBQpTcPJAkf7QYf4HKDDzb5lz5UeZ9KKH8V9Eb0SHfIH4FkBAxjB0+M6dXdh/7CzxOHi

Now restart Redis

systemctl restart redis

You have now enabled password authentication when issuing the auth command

Disabling dangeours commands in Redis

There are certain commands in Redis which are dangerous and which you may want to disable or rename. You can, instead of disabling commands rename then so they are hard for others to guess but easy for you to remember.

To disable or rename commands edit the Redis config file:

sudo nano /etc/redis/redis.conf

Down in the Security section where you set your password earlier, you will find the section to rename or disable commands.

Please note: These are just examples of commands. You should determine for yourself which commands are dangerous to you and you wish to rename or disable. You can see a list of commands at http://redis.io/commands

To disable a command you would do something like the following:

. . .
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
. . .

To rename a command to something else, the syntax is

. . .
# rename-command CONFIG ""
rename-command SHUTDOWN SHUTDOWN_MENOT
rename-command CONFIG ASC12_CONFIG
. . .

As before when you are done, restart Redis

systemctl restart redis

You can now test out your changes in the redis-cli