Redis Security
Redis default configuration is insecure. This lesson covers how to protect your Redis instance.
Redis Security Risks
Default configuration risks:
- No password authentication: anyone can connect
- Binds to all network interfaces: accessible from outside
- Dangerous commands not disabled: FLUSHALL, CONFIG, etc.
- Plaintext transmission: data is not encrypted
⚠️ Warning: Exposing Redis to the public internet is very dangerous! There have been large-scale Redis attacks.
Password Authentication
Setting a Password (Before Redis 6.0)
CONF
# redis.conf
requirepass your_strong_password_here
Authenticating when connecting:
REDIS
# Method 1: specify password on connection
redis-cli -a your_strong_password_here
# Method 2: authenticate after connecting
redis-cli
AUTH your_strong_password_here
OK
⚠️ Note: Using the
-a parameter on the command line exposes the password in command history — not recommended.
Setting Password in Config File
CONF
# redis.conf
requirepass "P@ssw0rd!2026#Redis"
Dynamically Setting a Password
REDIS
CONFIG SET requirepass "new_password"
OK
# Re-authentication required
AUTH new_password
OK
ACL Access Control (Redis 6.0+)
Redis 6.0 introduced ACL (Access Control List) for more granular permission control.
Viewing User List
REDIS
ACL LIST
1) "user default on nopass ~* &* +@all"
Creating Users
REDIS
# Create user with password
ACL SETUSER alice on >password123 ~* +@all
OK
# Create read-only user
ACL SETUSER bob on >password456 ~* +@read +@connection
OK
# Create user with access to specific keys only
ACL SETUSER app on >apppass ~app:* +@all
OK
ACL Command Syntax
ACL SETUSER username
on|off # Enable or disable
>password # Set password
~pattern # Allowed keys (~* means all keys)
&pattern # Allowed Pub/Sub channels
+@category # Allow command category
-@category # Deny command category
+command # Allow specific command
-command # Deny specific command
Command Categories
| Category | Description | Includes |
|---|---|---|
| @all | All commands | All |
| @read | Read commands | GET, HGET, LRANGE, etc. |
| @write | Write commands | SET, HSET, LPUSH, etc. |
| @admin | Admin commands | CONFIG, DEBUG, etc. |
| @dangerous | Dangerous commands | FLUSHALL, SHUTDOWN, etc. |
| @connection | Connection commands | AUTH, PING, QUIT, etc. |
| @string | String commands | SET, GET, INCR, etc. |
| @hash | Hash commands | HSET, HGET, etc. |
| @list | List commands | LPUSH, LPOP, etc. |
| @set | Set commands | SADD, SREM, etc. |
| @sortedset | Sorted set commands | ZADD, ZREM, etc. |
Creating Users with Different Permissions
REDIS
# Admin: all permissions
ACL SETUSER admin on >admin123 ~* +@all
# Read-only user
ACL SETUSER readonly on >read123 ~* +@read +@connection
# App user: can only access app:* keys
ACL SETUSER app on >app123 ~app:* +@all
# Stats user: read-only on stats:* keys
ACL SETUSER stats on >stats123 ~stats:* +@read +@connection
# Safe user: all commands except admin and dangerous
ACL SETUSER safe on >safe123 ~* +@all -@admin -@dangerous
Viewing User Permissions
REDIS
# View all users
ACL LIST
# View specific user
ACL GETUSER alice
1) "flags"
2) 1) "on"
3) "passwords"
4) 1) "hash_password"
5) "keys"
6) "~*"
7) "commands"
8) "+@all"
Deleting a User
REDIS
ACL DELUSER alice
(integer) 1
Saving ACL Configuration
REDIS
# Save ACL config to file
ACL SAVE
OK
Specify ACL file in redis.conf:
CONF
aclfile /etc/redis/users.acl
Command Renaming
Rename or disable dangerous commands.
Disabling Commands
CONF
# redis.conf
rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command CONFIG ""
rename-command DEBUG ""
rename-command SHUTDOWN ""
rename-command KEYS ""
Renaming Commands
CONF
# Rename dangerous commands to complex names
rename-command FLUSHALL "FLUSHALL_abc123xyz"
rename-command CONFIG "CONFIG_secret789"
Using the renamed command:
REDIS
# Original command no longer works
FLUSHALL
(error) ERR unknown command 'FLUSHALL'
# Use the new command
FLUSHALL_abc123xyz
OK
💡 Use case: Disable or rename dangerous commands to prevent accidental operations or malicious attacks.
Network Security
Binding IP Address
CONF
# redis.conf
# Local access only
bind 127.0.0.1
# Allow specific IPs
bind 127.0.0.1 192.168.1.100
# Allow all IPs (dangerous!)
bind 0.0.0.0
⚠️ Warning:
bind 0.0.0.0 allows all IPs — you must set a password!
Protected Mode
CONF
# redis.conf
# Enable protected mode (default)
protected-mode yes
Protected mode behavior:
- Only accepts local connections (127.0.0.1)
- Or if bind address is set
- Or if a password is set
Changing the Port
CONF
# Use a non-default port
port 6380
💡 Use case: Using a non-default port reduces automated scanning attacks.
Firewall Configuration
BASH
# Linux iptables
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 6379 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP
# CentOS firewalld
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="6379" accept'
firewall-cmd --reload
TLS/SSL Encryption (Redis 6.0+)
Redis 6.0 supports TLS encrypted connections.
Configuring TLS
CONF
# redis.conf
tls-port 6379
port 0 # Disable non-TLS port
tls-cert-file /path/to/redis.crt
tls-key-file /path/to/redis.key
tls-ca-cert-file /path/to/ca.crt
tls-auth-clients optional
tls-protocols "TLSv1.2 TLSv1.3"
Connecting with TLS
BASH
redis-cli --tls --cert /path/to/client.crt --key /path/to/client.key --cacert /path/to/ca.crt
Security Best Practices
1. Set a Strong Password
CONF
# Use a strong password (at least 16 chars, mix of cases, digits, special chars)
requirepass "Xk9#mP2$vL5@nQ8&wR4!"
2. Use ACL for Permission Control
REDIS
# Create different users for different applications
ACL SETUSER webapp on >webpass ~web:* +@all
ACL SETUSER batch on >batchpass ~batch:* +@all
ACL SETUSER readonly on >readpass ~* +@read +@connection
3. Disable Dangerous Commands
CONF
rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command CONFIG ""
rename-command DEBUG ""
4. Restrict Network Access
CONF
bind 127.0.0.1
protected-mode yes
5. Use a Firewall
BASH
# Only allow specific IPs to access the Redis port
iptables -A INPUT -p tcp -s 192.168.1.100 --dport 6379 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP
6. Regular Auditing
REDIS
# View current client connections
CLIENT LIST
# View user permissions
ACL LIST
# View executed commands (use with caution)
MONITOR
Security Checklist
□ Set strong password (requirepass or ACL)
□ Bind to internal IP (bind 127.0.0.1 or internal IP)
□ Enable protected mode (protected-mode yes)
□ Disable dangerous commands (FLUSHALL, CONFIG, etc.)
□ Use firewall to restrict access
□ Use non-default port
□ Regularly update Redis version
□ Monitor unusual connections and commands
□ Use ACL for fine-grained permissions (Redis 6.0+)
□ Consider TLS encryption (Redis 6.0+)
❓ FAQ
Q How did access control work before Redis 6.0?
A Only requirepass was available — all clients shared the same password and had the same permissions.
Q How do I disable the KEYS command?
A Use
rename-command KEYS "" to disable it, or rename it to a complex name.Q Is bind 0.0.0.0 safe?
A No! You must also set a strong password and firewall. It is recommended to bind only to internal IPs.
Q How do I prevent Redis from being attacked?
A Set a strong password, bind to internal IP, disable dangerous commands, use a firewall, and update regularly.
Q How do I persist ACL configuration?
A Use ACL SAVE to write to a file, or specify aclfile in redis.conf.
📖 Summary
- Redis default configuration is insecure — security hardening is required
- Set strong password authentication (requirepass or ACL)
- ACL provides fine-grained permission control (Redis 6.0+)
- Rename or disable dangerous commands
- Bind to internal IP, enable protected mode
- Use firewall to restrict access
- Consider TLS encryption (Redis 6.0+)
- Regularly audit and monitor
📝 Exercises
- Password authentication: Set a Redis password and test authenticated connections
- ACL configuration: Create users with different permissions (admin, read-only, app user)
- Command disabling: Disable the FLUSHALL and CONFIG commands and verify they no longer work
- Security check: Go through the security checklist for your Redis configuration
Next Lesson
In the next lesson, we will learn Redis Performance Testing, covering the redis-benchmark tool.