Redis Security

May 20, 2022

Tags

The exploit enables uploading SSH keys into redis and then dumping the same into the authorized_keys file. Immediate steps to be taken to protect against the exploit :

Bind redis to 127.0.0.1 if it is only being connected to locally or at least only bind to the private network IP. In redis.conf, set the bind parameter and restart redis server:

bind 127.0.0.1 If at all redis server needs public access, use iptables to restrict the redis port to specific IPs.

2. Run redis server as a non-root user which does not have any shell access. This is very important because the attacker cannot gain root privileges and cannot use a login shell.

3. Enable authentication in redis and use AUTH for all connections.

Add to redis.conf a random password : requirepass "averylongrandompassword"

Configure your redis client to use AUTH for every connection :

AUTH

Restart redis server.

4. Secure the data directory and config files :
chmod 0600 /path/to/redis.conf
chown /path/to/redis/datadir
chmod 0700 /path/to/redis/datadir

Further recommended steps :

For another layer of security, use stunnel to proxy encrypted data to and from redis.
Disable commands that are not used, that could be dangerous like FLUSHALL or FLUSHDB in the config file or rename it to a random string:

rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG averylonghardtoguessstring

Check the pricing of our offerings here

Sign up for Free Trial

Latest Blogs

A vector illustration of a tech city using latest cloud technologies & infrastructure

Redis Security

May 20, 2022

Tarun Dua

Tags

security

Example H2

The exploit enables uploading SSH keys into redis and then dumping the same into the authorized_keys file. Immediate steps to be taken to protect against the exploit :

Bind redis to 127.0.0.1 if it is only being connected to locally or at least only bind to the private network IP. In redis.conf, set the bind parameter and restart redis server:

bind 127.0.0.1 If at all redis server needs public access, use iptables to restrict the redis port to specific IPs.

2. Run redis server as a non-root user which does not have any shell access. This is very important because the attacker cannot gain root privileges and cannot use a login shell.

3. Enable authentication in redis and use AUTH for all connections.

Add to redis.conf a random password : requirepass "averylongrandompassword"

Configure your redis client to use AUTH for every connection :

AUTH

Restart redis server.

4. Secure the data directory and config files :
chmod 0600 /path/to/redis.conf
chown /path/to/redis/datadir
chmod 0700 /path/to/redis/datadir

Further recommended steps :

For another layer of security, use stunnel to proxy encrypted data to and from redis.
Disable commands that are not used, that could be dangerous like FLUSHALL or FLUSHDB in the config file or rename it to a random string:

rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG averylonghardtoguessstring

Check the pricing of our offerings here

Sign up for Free Trial

Latest Blogs

Redis Security

Table of Contents

Redis Security

Table of Contents

9 Cloud Computing Trends Shaping India’s Digital Future in 2025

LoRA fine-tune Gemma 7B Using TIR with 10 Easy Steps

How Does RAG Improve the Accuracy of LLM Responses?

Top 10 Cloud GPU Providers in 2025

What is Retrieval-Augmented Generation (RAG)?

AI Inference vs Training: Understanding Key Differences

Sovereign Cloud: India's Key to Digital Independence in the AI Age

E2E Sovereign Cloud Platform: Revolutionizing Cloud Sovereignty

Top 8 Generative AI Applications in 2025

A Comparison between TIR Containerized VMs vs Traditional VMs