Home / 

Best Practices to Secure Redis Implementation in Cloud Infrastructure

Saurabh

Saurabh Badhwar

Sr. Software Engineer

Published Apr 23 2020

Derived from the phrase Remote Dictionary Server, Redis is an in-memory data structure project that implements a distributed, in-memory key-value database with flexible durability. Redis can be introduced between a web application and database as a ‘Cache’ to store the responses from the database in key-value pairs, thereby, reducing database calls and server load.

These key-value pairs are implemented in the memory, i.e., RAM of the server, which makes it a thousand times faster than accessing a hard disk but is costlier to implement. It offers value as per the key requested by the application—if the key is not present in Redis, then it sends queries to the database and stores the results for further requests.

Redis supports multiple data structures, like string, list, set, sorted set, hash table, HyperLogLog, bitmap, stream, and spatial index. It is used by many famous brands like Netflix, Twitter, Amazon, and Microsoft. According to Shodan.io, Redis is implemented on more than five lakhs servers worldwide.

Number of servers using Redis worldwide

Industries That Have Seen Rise in Redis Implementation

Many industries like gaming, financial services, healthcare, and IT are using Redis for solving their business problems. Developers integrate Redis with Apache Solr for reflecting product inventory updates quickly with the help of Redis’ in-memory store capability.

Redis’ Publisher/Subscriber (Pub/Sub) or Message Broker ability helps in building the foundation of microservices architecture. It helps in decoupling the services and makes their communication more effective. Redis can be used in geospatial apps for processing and analyzing geospatial data in real-time. It can be used to create chat systems and social networking sites.

Companies like Uber and Tinder are leveraging their Pub/Sub capabilities in creating their fault-tolerant and highly available architecture. The back-end infrastructure of Tinder relies on Redis-based caching to fulfill the requests generated by more than 2 billion users of the Swipe feature per day and hosts more than 30 billion matches to 190 countries globally.

Essential Security Measures for Redis Implementation in Infrastructure

To ensure all security loopholes are plugged, an organization must take the following measures:

Do not publicly expose the Redis server

Since Redis has no default authentication, It does not support encryption. All data is stored in cleartext. An attacker can use FLUSHALL command to delete all key-value data sets. To protect the Redis server, update the configuration file as mentioned below:

Path of the config file -> /etc/redis/redis.conf

# bind 127.0.0.1

It will only accept client connections made to localhost. (Private mode)

# bind 0.0.0.0

It will accept all connections made to any address. (Public mode)

Run Redis with minimum privileges

Running Redis with a root user dramatically increases the potential damage that an attacker can cause if the session is hijacked. It is better to run it as an unprivileged Redis user for a specific purpose, since the root user has access to ‘sudo’ commands that can be utilized to change the system configuration, such as ‘start/stop’ a service.

Don’t allow any outside traffic to the Redis port

Restrict traffic coming from the outside world, except the trusted clients, to the internal network with the help of firewall rules. If no communication is required from the network outside, then disallow the incoming traffic to the port 6379 with the help of network access control lists. If not, the information saved on Redis would be accessible to external applications.

Always use the protected mode

It is recommended to use the protected mode when Redis is executed with the default configuration (binding all the interfaces) and without any password. In this mode, Redis only replies to the loopback address and replies with an error to the clients connecting from any other address. Uncomment the following line in the configuration file to use Redis in a protected mode.

 # Protected-mode yes

Use strong password authentication

Since it is stored inside the redis.conf file, Redis password can be very long. Ensure that the password is strong and lengthy to stand against the Brute-force attacks — around 150K passwords can be tested per second by a password cracking tool against the Redis server. To add a password authentication to Redis, uncomment the following line in the configuration file and change the password in front of it.

 # requirepass foobared

Results of a dictionary attack in cracking a small length password

Prevent network sniffing

Like every other Redis command, the AUTH command is sent unencrypted that can leverage an attacker to have enough network access for eavesdropping (network sniffing). In such a scenario, we can use SSL proxy to encrypt the traffic, which comes with a performance tradeoff.

Sniffing of the invalid and valid passwords - Wireshark packet sniffer

Perform constant monitoring

Always monitor the processes/CPU consumption on servers to check for the presence of any crypto-mining malware, as in the case of RedisWannaMine worm.The worm downloads mining malware and gains persistence by creating a new cron job. This script steals the computing power of the victim’s machine to mine for cryptocurrencies, like Bitcoin.

Command renaming

Change the name of administrating commands at your discretion. For example, CONFIG command can be changed into something hard to guess in a shared environment so that it will still be recognizable for the internal user/tools but not for anyone outside the team.

In the configuration file, uncomment the below and add any keyword in place of “…”

# rename-command CONFIG "…"

Secure Redis Implementation with the Redis Enterprise Version

Redis Enterprise is a robust in-memory database platform built on an open-source Redis with additional features like auto-failover, auto-sharding /scaling, easy backups, and disaster recovery capabilities.

Along with these resilient features, it also provides many other security features related to authentication and authorization. Some of the security features are mentioned below:

  • It limits the administrative access to a set of ports that can be secured using additional OS-level mechanisms, like iptables, firewalls, and more.
  • It provides role-based access control to define separate roles for fine-grained security controls.
  • It offers built-in encryption for exchanging data. The data paths are encrypted using SSL and can be deployed on any cloud platform.

With Redis Enterprise Cloud, the data access can be secured by IP filtering. It allows eligible application servers from a given source of IPs to authenticate the database.

Security has become an inseparable part of the process while developing and deploying applications in the systems. While designing a cloud infrastructure, we need to implement security at the network level as well as at the application implementation level. The goal is to implement the Redis server while minimizing the attack surface to the least. After taking every measure to harden the Redis server, it should be impenetrable for the hackers to attack. If there is a single chance of vulnerability in the system design, the whole system gets compromised.

They say that “everything comes with a cost.” While securing an application has a minor influence on its performance, it’s recommended to run benchmark tests on the application with & without encryption to determine the performance impact. Since there is no single model of implementation and that every industry has itsuse case, it’s crucial to have a comprehensive cloud security strategy in place.