Redis Security

Bind redis to 127.0.0.1 if it is only being connected to locally or atleast only bind to the private network IP. In redis.conf , set the bind parameter and restart redis server:

bind 127.0.0.1 If at all redis server needs public access, use iptables to restrict the redis port to specific IPs. 2.  Run redis server as a non-root user which does not have any shell access. This is very important because the                  attacker cannot gain root privileges and cannot use a login shell. 3.  Enable authentication in redis and use AUTH for all connections [2] .

• Add to redis.conf a random password : requirepass “averylongrandompassword”

• Configure your redis client to use AUTH for every connection :

AUTH

• Restart redis server.

4. Secure the data directory and config files : chmod 0600 /path/to/redis.conf chown /path/to/redis/datadir chmod 0700 /path/to/redis/datadir Further recommended steps :

1. For another layer of security, use stunnel to proxy encrypted data to and from redis.
2. Disable commands that are not used, that could be dangerous like FLUSHALL or FLUSHDB in the config file or rename it to a random string:

rename-command FLUSHDB “”rename-command FLUSHALL “” rename-command CONFIG averylonghardtoguessstring]]>