Sunday, 7 May 2017

Securing your redis instance.

Redis is a very fast caching engine which has support for a number of data structures like list, sets, sorted sets etc.

Many times, we are faced with a problem of how to secure our redis instance. The problem comes up because anyone can connect to redis and manipulate the data.
Redis is designed for very fast performance and does not have very strong security features built in it by default.

There is one very important rule while using redis. Ignoring this can lead to catastrophe in your redis world, if not anywhere else.

Never expose a redis instance directly to the internet

It is almost impossible to think of a valid use case whether the redis instance will be directly open to the internet. Instead only the trusted applications/ip addresses should interact with it. This is because anybody will be able to connect to it on the internet and manipulate the data. So, it is essential that the machines running redis instances have private ip addresses and are strictly behind a firewall.


Next, we will discuss the security features that can be setup.

Setting an authentication password

         This is the easiest way to secure your redis instance. It involves setting the password using the "requirepass" parameter in the config file. The same password can be used by the clients to authenticate themselves first before making calls to redis.

The following is set in the redis.conf file

#requirepass foobared
requirepass c0nf!d3nt!@|

So, every client has to connect to it by giving the password while creating the connection

redis-3.0.6 $ redis-cli
127.0.0.1:6379> set a b
(error) NOAUTH Authentication required.
127.0.0.1:6379> auth c0nf!d3nt!@|
OK
127.0.0.1:6379> set a b
OK
127.0.0.1:6379> set b c
OK

However considering the password is in plain text in the config file, it is not a foolproof solution. This is because applications will keep a copy of the password with them, and it is possible for it to be compromised.

Use IP tables

         This involves restricting connections to a particular machine and port only from predefined systems. IP tables come pre-installed on almost all linux distributions. In my opinion, this is one of the best ways to secure your redis instance.

iptables -F
iptables -A INPUT -p tcp -s 192.168.10.40,192.168.10.41 --dport 6379 -j ACCEPT
iptables -A INPUT -p tcp -dport 6379 -j DROP
iptables-save

The above needs to be run on the redis instance. With this the machine will only accept connections from 192.168.10.40 and 192.168.10.41 on its 6379 port(on which redis is running).

Rename dangerous commands

 Also it is a good idea to rename the dangerous commands. It is done using the "rename-command" parameter. Some of the commands which should be renamed are "FLUSHALL", "FLUSHDB", "CONFIG", "DEBUG", "RENAME", "BGSAVE", "SAVE", "MONITOR", "KEYS". 
The commands can be renamed by giving an alternate name or disabled by specifying "" as the name. 

rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command SAVE ""
rename-command RENAME ""
rename-command SHUTDOWN ""
rename-command MONITOR 3@v3sdr0p
rename-command CONFIG custom-config
rename-command KEYS get-all-keys
rename-command DEBUG k!||-@||-bugs
rename-command BGSAVE backgroundsave

The above will disable the commands "FLUSHALL", "FLUSHDB", "SAVE", "RENAME", "SHUTDOWN" and rename the "MONITOR", "CONFIG", "KEYS", "DEBUG" and "BGSAVE" command.

Note that once you rename the MONITOR command, executing the renamed command becomes slightly more tricky because the behavior of monitor command depends on both the server and the client(the server sends all commands to the particular client running the monitor and client outputs it). More details here.

:)