From output above we learned that redis server is already listening on port 6379 and bind to localhost or 127.0.0.1.
Redis configuration is located in the /etc/redis/redis.conf file. In this tutorial we'll change one Redis configuration directive so that it will listen to all network interfaces instead of only on localhost. This is useful if you have a dedicated redis server and you're connecting from other servers, such as an application server.
Open /etc/redis/redis.conf. Find line below:
We see above that redis is listening on all interfaces on port 6379 (0.0.0.0:6379).
There are a lot more configuration directive on redis.conf file. You can read the comment above each directive to see how you can customize Redis configuration.
By default Redis is not secure. It assumes that it runs on a secure environment or network. From Redis security page :
Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.
In this section we'll discuss how-to secure Redis.
Setting up a Firewall
The first method that you can use to secure Redis is by setting up a firewall. You can use a firewall on a host level using iptables or on a network level from a Firewall device. If you are using a cloud service you can also use a Firewall service that your provider provides on a host or a network level.
Configure a Password for Redis
By default Redis does not ask the user to authenticate. To add more security to your Redis installation you can enable authentication on your Redis server.
Open /etc/redis/redis.conf file, find the line below
# requirepass foobared
Replace foobared the line above with your own password. You can also use a fully random password like the line below
Additional methods that you can employ to secure your redis installation is by renaming or disabling some dangerous commands. This configuration is also located on the SECURITY section on the /etc/redis/redis.conf file. For example the config below will change the CONFIG commmand with 123aqCONFGG.
rename-command CONFIG 123aqCONFGG
We also can disable a command. To disable the CONFIG command you can put empty quotes ("") as the replacement of CONFIG command
rename-command CONFIG ""
Don't forget to restart redis-server after changing the configuration by running command below
$ sudo service redis-server restart
Redis comes with the redis-benchmark tool. You can try benchmarking redis by running redis-benchmark without options
In this tutorial we learned how-to install Redis on Ubuntu 14.04 from the Ubuntu repository. We also learned how to manage the Redis service, configuring the service, securing Redis, and also Benchmarking Redis. We also learned the basic usage of Redis.
Truth be told, it’s difficult for a web application that doesn’t have some kind of identification, even if you don’t see it as a security measure in and of itself. The Internet is a kind of lawless land, and even on free services like Google’s, authentication ensures that abuses will...
Although data persistence is almost always a fundamental element of applications, Node.js has no native integration with databases. Everything is delegated to third-party libraries to be included manually, in addition to the standard APIs. Although MongoDB and other non-relational databases are the most common choice with Node because if you...