Security improvements in the latest versions of Redis offer better ways to secure a Redis instance.
One of the biggest changes in Redis 3.2 version is how Redis's default security is handled when running Redis server. The new Redis Protected mode is a layer of security protection, to avoid that Redis instances left open on the Internet are accessed and exploited. This mode is active when the following occurs:
Manually with redis-cli
127.0.0.1:6379> CONFIG SET protected-mode no
OK
At startup redis.conf
Redis does have a small level of authentication which can be set in the redis.conf
with the requirepass configuration directive. Clients connecting need to first
send an AUTH command followed by a password.
For slaves to connect to a master instance that has a password, the masterauth configuration directive is used to store the master's password for the slave to authenticate.
requirepadd my-great-Password
Redis allows you to disable specific commands that are dangerous in the
wrong hands i.e. FLUSHALL or CONFIG that you may want to disable.
In the redis.conf
using the rename-command, you
can either rename the command to a hard-to-guess string or completely disable
completely by setting it to an empty string.
rename-command CONFIG thisIsmynewSpecialConfigCommandName rename-command FLUSHALL ""