Install, Configure & Secure Redis on Debian 9

Introduction
Redis is an open-source, in-memory key-value data structure store. It is often used as a database, cache, and/or message broker in a wide range of real-world applications. Redis supports both strings and abstract data types like lists of strings, sets of string, hash tables, and more.
In this article, we'll go over how to install, configure, and secure a Redis database on a Debian 9 operating system.
Let's get started!
Table of Contents
Install & Configure Redis
Since you are using the Debian 9 operating system, we can simply use apt to get the latest stable version of Redis from the official Debian repository lists.
First, we need to run the apt update command to update the list of available packages and their versions on your machine. This won't install any packages yet.
Open a terminal window (CTRL+ALT+T) and execute the command below:
$ sudo apt update
When that's done, we can install Redis with this command:
$ sudo apt install redis-server
When that command is completed, Redis and its dependencies will be installed on your machine.
Test Redis
Whenever you install new software onto your machine, it's a good idea to make sure it's working properly. In this step, we'll go over a few quick ways to make sure Redis is working as expected.
First, make sure the service is running:
$ sudo systemctl status redis
If your Redis instance is running without any errors, you should see an output similar to this:
Output
 
ā— redis-server.service - Advanced key-value store
  Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
  Active: active (running) since Thu 2019-07-18 18:35:29 CDT; 2min 2s ago
    Docs: http://redis.io/documentation,
      man:redis-server(1)
  Process: 28673 ExecStartPost=/bin/run-parts --verbose /etc/redis/redis-server.post-up.d (code=exited, status=0/S)
. . .
In the output, you can see that Redis is running and will start up every time your server reboots via systemctl (execute the sudo systemctl disable redis command to stop systemctl from starting Redis on boot).
Next, we should test some of the Redis functionality by using the Redis command-line interface.
Start the command-line client with this command
$ redis-cli
Then, add a value to the database by using the set command:
$ set message "Hello World!"
And retrieve the value:
$ get message
If everything is working, you should get this output:
Output
"Hello World!"
Last, we'll confirm that Redis can persist data after it's been stopped or restarted.
Exit the redis-cli prompt by executing the exit command:
127.0.0.1:6379> exit
And then restart the systemctl service that's running Redis:
$ sudo systemctl restart redis
When it has restarted, open the Redis command-line interface again and confirm that the "message" value still exists and returns the same value:
$ redis-cli
127.0.0.1:6379> get message
The value of the "message" key should still exist:
Output
"Hello World!"
You can exit the shell when you're finished:
127.0.0.1:6379> exit
Your Redis server is now running, configured, and ready to use!
But some of the default configuration settings are insecure. And, if your machine is a server, it will give malicious actors opportunities to attack the data in your server's database.
So, the remaining steps in this article will go through covering some of those security holes.
Although these next steps are optional, they're highly recommended.
Optional: Bind to Local Host
By default, Redis can only be accessed via localhost. But, there is a chance you may have installed Redis using a different tutorial and configured Redis to accept connections from anywhere. That method is not as secure as only allowing localhost connections.
To correct this or verify your Redis database is bound to only localhost, open the Redis configuration file for editing:
$ sudo nano /etc/redis/redis.conf
Scroll to the GENERAL section, locate the line below, and verify it is not commented out (remove the # if it exists):
/etc/redis/redis.conf
bind 127.0.0.1
Save and exit the file when you are finished (CTRL + X, Y, ENTER).
If you made any changes to the configuration file, make sure you restart Redis for the changes to go into effect:
$ sudo systemctl restart redis
Make sure the changes have gone into effect with the netstat command:
$ sudo netstat -lnp | grep redis
You should get a similar output to this:
Output
tcp        0        0 127.0.0.1:6379        0.0.0.0:*        LISTEN        29053/redis-server
The output shows that the redis-server program is bound to localhost (127.0.0.1). If you see another IP address in that column, then you should double-check that you uncommented the correct line and/or updated the line correctly. Then restart the Redis service again.
Now that your Redis service is bound to localhost, it will be more difficult for malicious actors to make remote requests to your database or gain access to your server. But, the Redis database isn't currently set up to authenticate users before they make changes to Redis configuration files or the data it holds.
In the next step, we'll update Redis to require users to authenticate with a password.
Optional: Configure Redis Password
In this section, we're going to use the auth command to enable a Redis password.
To configure the password, we need to update the /etc/redis/redis.conf Redis configuration file. So open that file again:
$ sudo nano /etc/redis/redis.conf
Scroll to the SECURITY section and look for a commented section that shows:
# requirepass foobared
Uncomment that section by removing the #. And replace foobared with a new and secure password.
If you look above the requirepass section, you'll notice this message about password strength:
/etc/redis/redis.conf
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
So, it's super important to use a VERY strong and long password if your Redis database is running on an import server or if it holds any sensitive data. Instead of making up a password yourself, you can use the openssl command to generate a long and random password.
Use the following command to generate one:
$ openssl rand 60 | openssl base64 -A
The output should look similar to this:
Output
yq1w4q5sf9FKNxEwXQrJ5HHCB5KkjsLRBF2uJquImA+C2IGhd1sTKNpHWRBMpYEhUw7mcj+XSp4l1VF
Then, copy and paste the output as the new value for requirepass. It should read like this:
/etc/redis/redis.conf
requirepass yq1w4q5sf9FKNxEwXQrJ5HHCB5KkjsLRBF2uJquImA+C2IGhd1sTKNpHWRBMpYEhUw7mcj+XSp4l1VF
After changing the pasword, save and close the /etc/redis/redis.conf file and restart Redis:
$ sudo systemctl restart redis
To test the new password, open the command-line:
$ redis-cli
And attempt to set a value in the database without first authenticating:
127.0.0.1:6379> set testKey "Test Value"
This won't work without authentication. Your output will look like this:
Output
(error) NOAUTH Authentication required.
To authenticate with the password you set in the Redis configuration file, run this command (replace the highlighted text with your password):
127.0.0.1:6379> auth YOUR_PASSWORD
And Redis will respond with this:
Output
OK
Then, retry the previous command of setting a test key and value:
127.0.0.1:6379> set testKey "test value"
If everything went well, that should have been successful:
Output
OK
And for testing purposes, retrieve the key:
127.0.0.1:6379> get testKey
Will get this output:
Output
"Test Key"
After confirming the above commands work with authentication, you can close the redis-cli client:
127.0.0.1:6379> exit
Conclusion
In this article, we installed and configured Redis on a Debian 9 operating system, tested that Redis was working post-installation, made sure Redis was bound to localhost and configured Redis with authentication.
You should now have a Redis database ready to be used in whatever awesome application you're building.
Thanks for reading and happy coding!