Redis security configuration is an important measure to protect Redis servers from attacks, requiring security hardening from multiple dimensions.
1. Network Security
Bind Listening Address
Problem Description: Redis binds to all network interfaces by default, making it easy for attackers to scan and attack.
Solution:
# Configuration file redis.conf bind 127.0.0.1 10.0.0.1 # Only listen on local and internal network interfaces # Avoid binding to 0.0.0.0
Use Firewall
Problem Description: Redis port is open to the public, making it easy for attackers to access.
Solution:
# Use iptables to restrict access iptables -A INPUT -p tcp --dport 6379 -s 10.0.0.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 6379 -j DROP # Use firewalld to restrict access firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" port protocol="tcp" port="6379" accept' firewall-cmd --reload
Use SSL/TLS
Problem Description: Redis data transmission is not encrypted, making it vulnerable to man-in-the-middle attacks.
Solution:
# Generate certificates openssl genrsa -out redis.key 2048 openssl req -new -key redis.key -out redis.csr openssl x509 -req -days 365 -in redis.csr -signkey redis.key -out redis.crt # Configure Redis to use TLS tls-port 6380 port 0 tls-cert-file /path/to/redis.crt tls-key-file /path/to/redis.key tls-ca-cert-file /path/to/ca.crt
2. Authentication Security
Set Password
Problem Description: Redis has no password by default, allowing anyone to access.
Solution:
# Configuration file redis.conf requirepass your_strong_password # Or use command line CONFIG SET requirepass your_strong_password # Use password when connecting redis-cli -a your_strong_password
Use ACL (Access Control List)
Problem Description: Before Redis 6.0, only one password could be set, unable to finely control permissions.
Solution:
# Create user ACL SETUSER user1 on >password1 ~user:* +@read # Create admin user ACL SETUSER admin on >admin_password ~* +@all # View user list ACL LIST # Delete user ACL DELUSER user1
Disable Dangerous Commands
Problem Description: Redis has some dangerous commands like FLUSHALL, FLUSHDB, CONFIG, etc., which can be abused.
Solution:
# Configuration file redis.conf rename-command FLUSHALL "" rename-command FLUSHDB "" rename-command CONFIG "" rename-command SHUTDOWN "" rename-command DEBUG "" # Or rename commands rename-command FLUSHALL "REALLY_FLUSH_ALL"
3. Data Security
Enable Persistence
Problem Description: Redis doesn't enable persistence by default, high risk of data loss.
Solution:
# Enable RDB persistence save 900 1 save 300 10 save 60 10000 # Enable AOF persistence appendonly yes appendfsync everysec
Encrypt Persistence Files
Problem Description: Persistence files are not encrypted, making them easy to steal.
Solution:
# Use filesystem encryption # Linux uses eCryptfs # macOS uses FileVault # Windows uses BitLocker # Or use third-party encryption tools # Such as cryptsetup, GPG, etc.
Regular Backup
Problem Description: No regular backup, unable to recover after data loss.
Solution:
# Regularly backup RDB file 0 2 * * * cp /var/lib/redis/dump.rdb /backup/dump_$(date +\%Y\%m\%d).rdb # Regularly backup AOF file 0 3 * * * cp /var/lib/redis/appendonly.aof /backup/appendonly_$(date +\%Y\%m\%d).aof # Backup to remote server rsync -avz /backup/ user@remote-server:/backup/
4. Runtime Security
Run as Non-privileged User
Problem Description: Redis runs as root user, posing security risks.
Solution:
# Create Redis user useradd -r -s /bin/false redis # Change Redis configuration file owner chown redis:redis /etc/redis/redis.conf chown redis:redis /var/lib/redis # Run as Redis user sudo -u redis redis-server /etc/redis/redis.conf
Restrict File Permissions
Problem Description: Redis configuration file and data file permissions are too large, making them easy to tamper with.
Solution:
# Restrict configuration file permissions chmod 600 /etc/redis/redis.conf # Restrict data file permissions chmod 700 /var/lib/redis # Restrict log file permissions chmod 600 /var/log/redis/redis.log
Use chroot
Problem Description: Redis can access the entire filesystem, posing security risks.
Solution:
# Configuration file redis.conf chroot /var/lib/redis dir / # Or use systemd's chroot feature [Service] User=redis Group=redis ExecStart=/usr/bin/redis-server /etc/redis/redis.conf ProtectSystem=full ReadWritePaths=/var/lib/redis
5. Monitoring Security
Enable Slow Query Log
Problem Description: Slow query log is not enabled, unable to discover abnormal operations.
Solution:
# Configuration file redis.conf slowlog-log-slower-than 10000 slowlog-max-len 128 # View slow queries SLOWLOG GET 10
Monitor Abnormal Operations
Problem Description: Unable to discover abnormal operations in time, such as large number of deletions, large number of queries, etc.
Solution:
# Use Redis Exporter for monitoring # Configure Prometheus to scrape data scrape_configs: - job_name: 'redis' static_configs: - targets: ['localhost:9121'] # Configure alert rules groups: - name: redis_alerts rules: - alert: RedisSlowQueries expr: rate(redis_slowlog_length[5m]) > 10 for: 5m labels: severity: warning annotations: summary: "Redis slow queries rate is high"
Audit Logs
Problem Description: Redis doesn't record audit logs by default, unable to track operations.
Solution:
# Configuration file redis.conf logfile /var/log/redis/redis.log loglevel notice # Use third-party audit tools # Such as Redis-Audit, Redis-Log, etc.
6. Cluster Security
Master-Slave Replication Authentication
Problem Description: Master-slave replication doesn't set authentication, making it easy for malicious slave nodes to connect.
Solution:
# Master node configuration masterauth your_master_password # Slave node configuration requirepass your_slave_password masterauth your_master_password
Sentinel Mode Authentication
Problem Description: Sentinel mode doesn't set authentication, making it easy for malicious sentinel nodes to connect.
Solution:
# Sentinel configuration file sentinel.conf sentinel auth-pass mymaster your_master_password sentinel down-after-milliseconds mymaster 30000 sentinel parallel-syncs mymaster 1 sentinel failover-timeout mymaster 180000
Cluster Mode Authentication
Problem Description: Cluster mode doesn't set authentication, making it easy for malicious nodes to join the cluster.
Solution:
# Cluster configuration file redis.conf cluster-enabled yes cluster-config-file nodes.conf cluster-node-timeout 5000 cluster-require-full-coverage yes cluster-auth-file /path/to/cluster_auth_file
7. Security Best Practices
Regularly Update Redis Version
Problem Description: Using old version of Redis, with known vulnerabilities.
Solution:
# Regularly check Redis version redis-server --version # Update Redis apt-get update apt-get install redis-server # Or compile from source wget https://download.redis.io/redis-stable.tar.gz tar -xzf redis-stable.tar.gz cd redis-stable make make install
Regularly Check Security Configuration
Problem Description: Security configuration is not regularly checked, possibly having security vulnerabilities.
Solution:
# Use Redis security check tools # Such as redis-audit, redis-safety, etc. # Regularly check configuration redis-cli CONFIG GET "*" # Regularly check user permissions redis-cli ACL LIST
Use Security Scanning Tools
Problem Description: Not using security scanning tools, unable to discover security vulnerabilities.
Solution:
# Use Nmap to scan Redis port nmap -p 6379 <redis-server-ip> # Use Redis security scanning tools # Such as redis-rogue-server, redis-attack, etc.
Summary
Redis security configuration requires hardening from multiple dimensions including network security, authentication security, data security, runtime security, monitoring security, and cluster security. In actual applications, appropriate security configurations need to be selected based on specific business scenarios and security requirements. At the same time, security configurations need to be regularly checked and updated to ensure Redis security.