1. Preparation before installation
1. Redis is developed in c language.
2. C language compilation environment is required to install redis. If there is no gcc, you need to install it online.
Command Line:yum install gcc-c++
2. Installation steps
The first step: upload the redis source code package to the linux system.
Official download address:
https://redis.io/download
Step 2: Unzip redis.
Command Line:tar -zxvf redis-3.0.0.tar.gz
The third step: compile. Enter the redis source code directory.
Command Line:make
The fourth step: installation.
Command line: make install PREFIX=/usr/local/redis
Note: The PREFIX parameter specifies the installation directory of redis. General software is installed in the /usr directory
3. Connect to redis
3.1. Start of redis
1. Front-end startup mode
Start redis-server directly under the redis installation directory.
[root@localhost bin] ./redis-server
#Note: In the front-end startup mode, the terminal window will be occupied. The end method: shortcut key * Ctrl+C*.
2. Background startup mode (recommended)
(1) Copy /root/redis-3.0.0/redis.conf to the /usr/local/redis/bin directory.
[root@localhost redis-3.0.0]#cp redis.conf /usr/local/redis/bin/
(2) Modify the configuration file.
[root@localhost bin] vim redis.conf
#Load configuration file start
[root@localhost bin]#./redis-server redis.conf
(3) View the redis process.
[root@localhost bin]# ps aux|grep redis
(4) Close the redis service through the process shutdown method.
[root@localhost bin] kill pid(进程id),例如:kill 63780
#Note: kill -9 pid means forced shutdown. Kill pid means to close after completing the current task normally
(5) Remote connection port opening solution:
CentOS 7.x version (firewall-cmd firewall):
Open port:firewall-cmd --zone=public --add-port=6380/tcp --permanent
Restart the firewall:firewall-cmd --reload
Other commands:
#View firewall firewall status systemctl status firewalld
#View firewall firewall open ends firewall-cmd --list-ports
#Open firewall firewall systemctl start firewalld.service
#Close firewall firewall systemctl stop firewalld.service
#Prohibit firewall from booting upsystemctl disable firewalld.service
3.2. redis-cli
[root@localhost bin] ./redis-cli
#Connect to the redis service running on port 6379 on localhost by default.
[root@localhost bin]# ./redis-cli -h 192.168.113.100 -p 6379 -a "密码"
-h: The address of the connected server
-p: The port number of the service
-a: Password login
Close redis: [root@localhost bin]#Modify ./redis-cli shutdown
the port number closing command:./redis-cli -p 端口号 shutdown
Use for the shutdown command that has modified the listening address and port number:kill -9 pid(进程号)
3.3. Redis five data types
1) String: key-value (for caching)
All data in Redis is a string. Commands are not case sensitive, and keys are case sensitive. Redis is single-threaded . Redis is not suitable for storing large data.
set (set), get (get), del (delete), keys * (view all)
incr: plus one (generate id), decr: minus one
2) Hash: key-fields-values (caching) is
equivalent to a key for a map, and there are also key-values in the map that
use hash to classify keys.
Hset: Add content to the hash
Hget: Get content from the hash
3) List: ordered and repeatable (doubly linked list)
192.168.113.100:6379> lpush list1 a b c d
(integer) 4
192.168.113.100:6379> lrange list1 0 -1
1) "d"
2) "c"
3) "b"
4) "a"
192.168.113.100:6379> rpush list1 1 2 3 4
(integer) 8
192.168.113.100:6379> lrange list1 0 -1
1) "d"
2) "c"
3) "b"
4) "a"
5) "1"
6) "2"
7) "3"
8) "4"
192.168.113.100:6379>
192.168.113.100:6379> lpop list1
"d"
192.168.113.100:6379> lrange list1 0 -1
1) "c"
2) "b"
3) "a"
4) "1"
5) "2"
6) "3"
7) "4"
192.168.113.100:6379> rpop list1
"4"
192.168.113.100:6379> lrange list1 0 -1
1) "c"
2) "b"
3) "a"
4) "1"
5) "2"
6) "3"
192.168.113.100:6379>
4) Set: The elements are in no order and cannot be repeated
192.168.113.100:6379> sadd set1 a b c c c d
(integer) 4
192.168.113.100:6379> smembers set1
1) "b"
2) "c"
3) "d"
4) "a"
192.168.113.100:6379> srem set1 a
(integer) 1
192.168.113.100:6379> smembers set1
1) "b"
2) "c"
3) "d"
192.168.113.100:6379>
5) SortedSet (zset): There is an order and cannot be repeated
192.168.113.100:6379> zadd zset1 2 a 5 b 1 c 6 d
(integer) 4
192.168.113.100:6379> zrange zset1 0 -1
1) "c"
2) "a"
3) "b"
4) "d"
192.168.113.100:6379> zrem zset1 a
(integer) 1
192.168.113.100:6379> zrange zset1 0 -1
1) "c"
2) "b"
3) "d"
192.168.113.100:6379> zrevrange zset1 0 -1
1) "d"
2) "b"
3) "c"
192.168.113.100:6379> zrange zset1 0 -1 withscores
1) "c"
2) "1"
3) "b"
4) "5"
5) "d"
6) "6"
192.168.113.100:6379> zrevrange zset1 0 -1 withscores
1) "d"
2) "6"
3) "b"
4) "5"
5) "c"
6) "1"
192.168.113.100:6379>
3.4. Key command
Set the expiration time of the key.
Expire key second: Set the expiration time of the
key. Ttl key: View the expiration date of the
key. Persist key: Clear the expiration time of the key. Key persistence.
192.168.113.100:6379> expire Hello 100
(integer) 1
192.168.113.100:6379> ttl Hello
(integer) 77
4. Redis security configuration (absolutely important)
1. Reasons for security configuration
By default, Redis will be bound to 0.0.0.0:6379, which will expose the Redis service to the public network. If authentication is not turned on, it can lead to unauthorized access by any user who can access the target server Redis and read Redis data. Attackers can use Redis related methods without authorization to access Redis, and can successfully write the public key on the Redis server, and then can directly log in to the target server using the corresponding private key.
2. Intrusion characteristics
Redis may have executed the FLUSHALL method, and the entire Redis database was emptied; a
new key-value pair named crackit (commands circulating on the Internet) was created in the Redis database, and the content was an SSH public key;
in the /root/.ssh folder The authorized_keys file is newly created or modified, and the content is the db file generated by Redis, which contains the above public key;
3. Solution
1) Modify the default port of Redis to avoid the use of well-known ports and reduce the risk of being scanned by the initial stage.
The configuration in redis.conf is as follows: port 6379 is changed to another port number, such as 6380. Remember that the development port of the firewall should also be changed to the changed port number;
remove the open default port (for CentOS7.x):
firewall-cmd --zone= public --remove-port=6379/tcp –permanent
Add an open port (for CentOS7.x):
firewall-cmd --zone= public --add-port=6380/tcp –permanent
2) Restrict intranet access or only local access, and multiple IPs are separated by spaces.
The configuration in redis.conf is as follows: bind 192.168.113.100或者bind 127.0.0.1
3) Enable redis password authentication and set a high-complexity password
. The configuration in redis.conf is as follows: requirepass+空格+复杂密码(8-20位)
4) Disable or rename the dangerous command, and set it to empty to disable the command. (Rename must be difficult for others to guess)
Add the following in redis.conf:
rename-command CONFIG CONFIG_boss
rename-command SHUTDOWN SHUTDOWN_boss
rename-command FLUSHDB ""
rename-command FLUSHALL ""
as the picture shows.
5) Only the specific IP is open to access the port used by Redis.
The setting command is as follows:
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="特定IP" port protocol="tcp" port="Redis的使用端口" accept"
For a network segment:
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.113.0/24" port protocol="tcp" port="6380" accept"
6) Modify the access permissions of the redis file directory. (Tentative) The
redis root directory is set to chmod 700 redis
redis.conf is set tochmod 600 redis
7) Prohibit root user to start redis (tentative)
useradd -s /sbin/nolog -M redis
setsid sudo -u redis /usr/bin/redis-server /etc/redis.conf
Pay attention to adding users