Focused Topics in Redis Day 2 - #7


Security improvements in the latest versions of Redis offer better ways to secure a Redis instance.

Redis Default Security Settings

One of the biggest changes in Redis 3.2 version is how Redis's default security is handled when running Redis server. The new Redis Protected mode is a layer of security protection, to avoid that Redis instances left open on the Internet are accessed and exploited. This mode is active when the following occurs:

  1. The server is not binding explicitly to a set of addresses using the "bind" directive.
  2. No password is configured.Before, the only way to restrict access to a Redis instance was to set a password

Configuring Redis's Protected Mode

Manually with redis-cli> CONFIG SET protected-mode no OK

At startup redis.conf

Redis does have a small level of authentication which can be set in the redis.conf with the requirepass configuration directive. Clients connecting need to first send an AUTH command followed by a password.

For slaves to connect to a master instance that has a password, the masterauth configuration directive is used to store the master's password for the slave to authenticate.

      requirepadd my-great-Password

Disabling of Commands

Redis allows you to disable specific commands that are dangerous in the wrong hands i.e. FLUSHALL or CONFIG that you may want to disable. In the redis.conf using the rename-command, you can either rename the command to a hard-to-guess string or completely disable completely by setting it to an empty string.

rename-command CONFIG thisIsmynewSpecialConfigCommandName
rename-command FLUSHALL ""