Comprehensive Steps To Install Redis on AlmaLinux 9

In this guide, we want to teach you How To Install, Configure, and Secure Redis on AlmaLinux 9. Redis (for REmote DIctionary Server) is an open-source, in-memory, NoSQL key/value store that is used primarily as an application cache or quick-response database.

Because it stores data in memory, rather than on a disk or solid-state drive (SSD), Redis delivers unparalleled speed, reliability, and performance. You can now follow the steps below on the Orcacore website to Install and Secure Redis on AlmaLinux 9.

Install and Configure Redis on AlmaLinux 9

To Install Redis on AlmaLinux 9, you must log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow our guide on Initial Server Setup with AlmaLinux 9.

1. Install Redis on AlmaLinux 9

Redis packages are available in the default AlmaLinux repository. First, you need to update your local package index with the command below:

sudo dnf update -y

Then, use the following command to install Redis:

sudo dnf install redis -y

When your installation is completed, you need to make some configuration changes to the Redis config file.

2. Configure Redis To Run as a Service

At this point, you need to open the Redis configuration file with your favorite text editor, here we use vi editor:

sudo vi /etc/redis/redis.conf

Inside the file, search for the supervised directive. This directive allows you to declare an init system to manage Redis as a service, providing you with more control over its operation.

By default, it is set to no, you have to change it to systemd:

. . .
# If you run Redis from upstart or systemd, Redis can interact with your
# supervision tree. Options:
# supervised no - no supervision interaction
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
# supervised auto - detect upstart or systemd method based on
# UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
# They do not enable continuous liveness pings back to your supervisor.
supervised systemd
. . .

When you are finished, save and close the file.

3. Manage Redis Service

Here you need to start the Redis service on AlmaLinux 9 with the following command:

sudo systemctl start redis.service

If you want to Redis start at boot, enable it with the following command:

sudo systemctl enable redis

To check that Redis is active and running you can use the following command:

sudo systemctl status redis

In your output you should see:

Now you can test Redis’s functionality with the following command:

redis-cli ping

In your output you should see:

Output
PONG

It means that you have Redis running on your AlmaLinux 9. At this point, you can start to configure it to raise its security.

4. How To Secure Redis on AlmaLinux 9

An effective way to protect Redis is to secure the server it’s running on. To do this, you can be sure that Redis is limited only to localhost or to a private IP address and also that the server has a firewall up and running.

Open the Redis configuration file with your favorite text editor again:

sudo vi /etc/redis/redis.conf

Inside the file, search for the “bind” line and uncomment it by removing the # sign at the beginning of the line:

. . .
bind 127.0.0.1

Note: If you need to bind Redis to another IP address, it’s strongly recommended that to bind it to a private IP address.

. . .
bind your_private_ip

After you make this change, save and close the file.

Configure Firewall For Redis

We assumed that you installed and enabled firewalld in the requirements part.

You should only allow access to your Redis server from your hosts by using their private IP addresses in order to limit the number of hosts your service is exposed to.

First, you need to add a dedicated Redis zone to your firewalld policy with the following command:

sudo firewall-cmd --permanent --new-zone=redis

Redis uses port 6379 by default. You need to open it through the firewall with the following command:

sudo firewall-cmd --permanent --zone=redis --add-port=6379/tcp

Then, specify any private IP addresses that should be allowed to pass through the firewall and access Redis with the command below:

sudo firewall-cmd --permanent --zone=redis --add-source=client_server_private_IP

To apply these changes, reload the firewall with the following command:

sudo firewall-cmd --reload

Note: The services in the default zone apply to every connection, not just those that don’t match explicitly, so you don’t need to add other services (e.g. SSH) to the Redis zone because those rules will be applied to that connection automatically.

Let’s see how to configure Redis to only be accessible with a strong password.

5. Configure a Redis Password on AlmaLinux 9

You can configure a Redis Password directly in the Redis configuration file.

Open the file again with the following command:

sudo vi /etc//redis/redis.conf

Find the Security section and search for the “requirepass foobared” directive. Uncomment it by removing the # and replacing the foobared phrase with a very strong password of your choosing.

requirepass your-password

When you are finished, save and close the file.

Then restart Redis to apply these changes with the following command:

sudo systemctl restart redis

Test Redis Password

To test that the password that you have set works correctly, open the Redis client on AlmaLinux 9 with the following command:

redis-cli

The first command tries to set a key to a value before authentication:

127.0.0.1:6379> set key1 10

At this point, Redis returns an error, because you have not yet authenticated:

127.0.0.1:6379> NOAUTH Authentication required.

Use the following command to authenticate with the password you have set in the Redis configuration file:

127.0.0.1:6379> auth your_redis_password

After entering your Redis password, in your output, you will see OK.

Then run the previous command, it should be working now:

127.0.0.1:6379> set key1 10

In your output, you should see OK.

Now use the get key1 command to query Redis for the value of the new key:

127.0.0.1:6379> get key1

Output
"10"

Exit from the Redis client with the following command:

127.0.0.1:6379> quit

Note: At this point, it should be very difficult for unauthorized users to access your Redis installation. Remember that if you are using the Redis client and then restart Redis, you’ll need to re-authenticate. Also, please note that without SSL or a VPN, the unencrypted password will still be visible to outside parties if you’re connecting to Redis remotely.

Additionally, you can rename Redis commands to protect Redis from malicious actors.

6. Rename Redis Dangerous commands

For more security, Redis allows you to rename or completely disable certain commands that are considered dangerous. like: FLUSHDB, FLISHALL, KEYS, CONFIG, DEBUG, SHUTDOWN, SAVE, STOP, RENAME, etc.

If you know that you will never use a command that can be abused, you can disable it. Otherwise, you should rename it instead.

To enable or disable Redis commands, open the Redis configuration file and go to the Security section:

sudo vi /etc/redis/redis.conf

Note: These are examples. You should choose to disable or rename the commands that make sense for you. You can learn more about Redis’s commands and determine how they might be misused at redis.io.

Here you can disable or kill a command by renaming it to an empty string like this:

# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""

You can rename a command by giving it another name like this:

# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command SHUTDOWN SHUTDOWN_ORCA
rename-command CONFIG ORCA_CONFIG

When you are finished, save and close the file.

To apply the changes, restart Redis on AlmaLinux 9 with the following command:

sudo systemctl restart redis.service

Now you can open the Redis client to test your new commands:

redis-cli

Then, authenticate yourself with the password that you have set:

127.0.0.1:6379> auth your_redis_password

We assumed that you rename the config command to orca_config. If you use config you will get an error:

127.0.0.1:6379> config get requirepass

Now use the renamed command instead:

127.0.0.1:6379> orca_config get requirepass

In your output you will see:

Now you can exit from the Redis client with the following command:

127.0.0.1:6379> exit

Warning: at the end of the Security section in the /ect/redis/redis.conf file, there is a warning statement which is:

. . .
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to slaves may cause problems.
. . .

This means if the renamed command is not in the AOF file, or if it is but the AOF file has not been transmitted to replicas, then there should be no problem. The best time to rename the command is when you’re not using AOF persistence or right after installation.

7. Set Data directory Ownership and File Permissions

In this step, you need to set ownership and make some permission changes to improve the security profile of your Redis installation on AlmaLinux 9. With this, you will be sure that only the Redis user has permission to read its data.

Run the following command to see the Redis data directory ownership and its permissions:

ls -l /var/lib | grep redis

Output
drwxr-x--- 2 redis redis  Jan 05 12:20 redis

As you can see, the Redis data directory is owned by the Redis user, with secondary access granted to the Redis group.

If your Redis directory has insecure permissions, you can use the following command to change the file permissions settings:

sudo chmod 770 /var/lib/redis

Then, you need to change the Redis configuration file permissions. By default, it is owned by the root and secondary ownership by the root group.

ls -l /etc/redis/redis.conf

Output
-rw-r----- 1 redis root 62345 Jan 05 12:19 /etc/redis/redis.conf

It means that the Redis configuration file is readable only by the Redis user and the root group. You should set the file to readable by the Redis user and the Redis group. To do this, run the following command:

sudo chown redis:redis /etc/redis/redis.conf

Now you need to change the permissions so that only the owner of the file can read and write to it:

sudo chmod 600 /etc/redis/redis.conf

Verify the new changes with the following command:

ls -l /var/lib | grep redis

Output
drwxrwx--- 2 redis redis  Jan 05 12:20 redis

ls -l /etc/redis/redis.conf

Output
-rw------- 1 redis redis 62345 Jan 05 12:19 /etc/redis/redis.conf

Then, restart Redis to apply these changes:

sudo systemctl restart redis

Finally, your Redis on AlmaLinux 9 installation has been secured.

Conclusion

At this point, you have learned How To Install Redis on AlmaLinux 9, Configure Redis To Run as a Service, and Rename Redis Dangerous Commands.

Hope you enjoy it. You may also like these articles:

How To Install Plesk on AlmaLinux 9

Install Visual Studio Code on AlmaLinux 9

Install Apache Cassandra on AlmaLinux 9

Alternative Solutions for Securing Redis on AlmaLinux 9

While the above method provides a comprehensive approach to securing Redis, here are two alternative approaches:

1. Using TLS Encryption with Stunnel:

While the original article mentions the importance of SSL or VPNs, it doesn’t detail how to implement TLS encryption. Using Stunnel is one way to achieve this. Stunnel is a free and open-source multi-platform application that provides universal TLS/SSL tunneling service. It allows you to encrypt the communication between Redis clients and the Redis server, protecting the password and data transmitted over the network.

Explanation:

Stunnel acts as a proxy. Redis clients connect to Stunnel, which then encrypts the traffic and forwards it to the Redis server. This prevents eavesdropping and man-in-the-middle attacks.

Steps:

• Install Stunnel:

sudo dnf install stunnel -y

• Generate a Certificate: You’ll need a certificate for Stunnel to use. You can create a self-signed certificate for testing purposes, but for production environments, it’s highly recommended to use a certificate signed by a trusted Certificate Authority (CA).

  openssl req -new -x509 -days 365 -nodes -out /etc/stunnel/redis.pem -keyout /etc/stunnel/redis.pem
  chmod 600 /etc/stunnel/redis.pem

  Remember to answer the prompts appropriately during certificate generation.

• Configure Stunnel: Create a Stunnel configuration file:

  sudo vi /etc/stunnel/redis.conf

  Add the following configuration:

  [redis]
  client = no
  accept = 127.0.0.1:63790  # Stunnel listens on this port
  connect = 127.0.0.1:6379  # Redis server address and port
  cert = /etc/stunnel/redis.pem

  Adjust the accept port to an unused port on your system.

• Enable and Start Stunnel:

  sudo systemctl enable stunnel
  sudo systemctl start stunnel

• Configure Redis to only listen on localhost (as shown in the original article).

• Connect to Redis through Stunnel: Your Redis clients now need to connect to 127.0.0.1:63790 (or the port you specified in the Stunnel config).

Code Example (Connecting with redis-cli through Stunnel):

Since Stunnel handles the encryption, the standard redis-cli can be used, but it needs to connect to Stunnel’s listening port.

redis-cli -h 127.0.0.1 -p 63790

2. Using Redis ACL (Access Control List):

Redis 6 and later versions introduced ACLs, which offer a more granular approach to access control than just a simple password. ACLs allow you to define specific permissions for different users, limiting what commands they can execute and what keys they can access. This provides a significantly more secure environment.

Explanation:

Instead of a single password for all users, you can create multiple users with distinct access rights. For example, one user might only be allowed to read data, while another can read and write. You can also restrict users to specific keys or key patterns.

Steps:

• Enable ACL Protection: In the redis.conf file, make sure requirepass is commented out or removed. ACLs supersede the simple password authentication.

• Connect to Redis with the default user (no password):

  redis-cli

• Create Users and Set Permissions: Use the ACL SETUSER command to create users and assign permissions.

  ACL SETUSER <username> <permissions>

  • <username>: The name of the user.
  • <permissions>: A list of permissions, which can include:
    • +<command>: Allow a specific command.
    • -<command>: Deny a specific command.
    • allcommands: Allow all commands.
    • resetpass: Sets user with no password.
    • > followed by a password (SHA256 hash).
    • ~<pattern>: Allow access to keys matching the pattern. ~* allows access to all keys.
    • off: disable the user

  Example:

  ACL SETUSER dev +get +set +del ~* >dev_password
  ACL SETUSER monitor +info +ping
  ACL SETUSER readonly +get ~mydata:*

  This creates three users:

  • dev: Can use GET, SET, and DEL commands on any key, and has the password dev_password.
  • monitor: Can use the INFO and PING commands and has no password (connects with default user with no password).
  • readonly: Can use the GET command on keys matching the pattern mydata:* and has no password.

• Authenticate with the new user:

  redis-cli -u dev -a dev_password

• Restart Redis: To ensure the ACL configuration is loaded correctly, restart the Redis service:

  sudo systemctl restart redis

Code Example (Connecting with redis-cli using ACL):

redis-cli -u default -a ""   # Connect with default user without password.
redis-cli -u dev -a dev_password # Connect with the 'dev' user using the 'dev_password' password

By using ACLs, you can create a much more secure Redis environment by limiting the access of different users to only the commands and keys they need. Combined with network restrictions like those outlined in the original article, this can significantly reduce the attack surface of your Redis installation on AlmaLinux 9. Using stunnel and ACL are alternative ways to install and secure Redis on AlmaLinux 9.