Back to Details

redis-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Redis Security

Redis 安全

Production hardening for Redis: authentication, ACL-based access control, and network exposure. Cover all three together — any one of them on its own leaves an exploitable gap.
Redis生产环境加固方案:认证、基于ACL的访问控制与网络暴露限制。需同时覆盖这三个方面——仅单独配置其中一项会留下可被利用的漏洞。

When to apply

适用场景

  • Deploying or reviewing a Redis instance destined for production.
  • Setting up application credentials beyond a shared password.
  • Auditing a Redis deployment against a security checklist.
  • Receiving "Redis exposed to the internet" findings from a scanner.
  • 部署或审查用于生产环境的Redis实例。
  • 设置共享密码之外的应用凭据。
  • 对照安全检查表审计Redis部署。
  • 收到扫描工具提示“Redis暴露于公网”的检测结果。

1. Always authenticate (and use TLS)

1. 始终启用认证(并搭配TLS)

Never run a production Redis without a password. Pair authentication with TLS so credentials and data aren't sent in clear text.
undefined
生产环境的Redis绝不能不设置密码。将认证与TLS搭配使用,避免凭据和数据以明文形式传输。
undefined

redis.conf

redis.conf

requirepass your-strong-password tls-port 6380 tls-cert-file /path/to/redis.crt tls-key-file /path/to/redis.key

```python
r = redis.Redis(
    host="localhost",
    port=6380,
    password="your-strong-password",
    ssl=True,
    ssl_cert_reqs="required",
)
If you can use ACL users (next section) instead of the single 
requirepass
, do — 
requirepass
is effectively the legacy "default user" shortcut.
See references/auth.md.
requirepass your-strong-password tls-port 6380 tls-cert-file /path/to/redis.crt tls-key-file /path/to/redis.key

```python
r = redis.Redis(
    host="localhost",
    port=6380,
    password="your-strong-password",
    ssl=True,
    ssl_cert_reqs="required",
)
如果可以使用ACL用户(下一节内容)替代单一的
requirepass
,请优先选择——
requirepass
实际上是遗留的“默认用户”快捷方式。
参考 references/auth.md

2. ACLs for least-privilege access

2. 基于ACL实现最小权限访问

The 
default
user with a shared password is fine for development. For production, give each application a dedicated ACL user with only the commands and key patterns it actually needs.
undefined
使用共享密码的
default
用户适用于开发环境。在生产环境中,应为每个应用创建专用的ACL用户,仅授予其实际需要的命令和键模式权限。
undefined

Cache-only reader

仅缓存读取用户

ACL SETUSER app_readonly on >password ~cache:* +get +mget +scan
ACL SETUSER app_readonly on >password ~cache:* +get +mget +scan

Writer that can't run dangerous ops

无法执行危险操作的写入用户

ACL SETUSER app_writer on >password ~* +@all -@dangerous
ACL SETUSER app_writer on >password ~* +@all -@dangerous

Admin (use sparingly, never for application traffic)

管理员(谨慎使用,绝不要用于应用流量)

ACL SETUSER admin on >strong-password ~* +@all

Useful command categories:

| Category | What it covers |
|---|---|
| `@read` | Read commands (`GET`, `MGET`, `HGET`, ...) |
| `@write` | Write commands (`SET`, `DEL`, `XADD`, ...) |
| `@dangerous` | `FLUSHALL`, `DEBUG`, `KEYS`, etc. |
| `@admin` | Administrative commands |

If app credentials leak, a tight ACL bounds the blast radius — the attacker can't `FLUSHALL` your DB just because they grabbed a cache reader's password.

See [references/acls.md](references/acls.md).
ACL SETUSER admin on >strong-password ~* +@all

实用命令类别:

| 类别 | 包含内容 |
|---|---|
| `@read` | 读取命令(`GET`、`MGET`、`HGET`等) |
| `@write` | 写入命令(`SET`、`DEL`、`XADD`等) |
| `@dangerous` | `FLUSHALL`、`DEBUG`、`KEYS`等危险命令 |
| `@admin` | 管理类命令 |

如果应用凭据泄露,严格的ACL可以控制影响范围——攻击者不会仅因为获取了缓存读取用户的密码就能够执行`FLUSHALL`清空数据库。

参考 [references/acls.md](references/acls.md)。

3. Restrict network access

3. 限制网络访问

The most common Redis breach is a public-internet Redis with no auth. Avoid that with three layers:
undefined
最常见的Redis漏洞是未启用认证且暴露于公网的实例。通过三层防护避免这种情况:
undefined

redis.conf — bind to specific interfaces, keep protected-mode on

redis.conf —— 绑定到特定接口,保持protected-mode开启

bind 127.0.0.1 192.168.1.100 protected-mode yes

```bash
bind 127.0.0.1 192.168.1.100 protected-mode yes

```bash

Firewall — allow only application subnets

防火墙 —— 仅允许应用子网访问

iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 6379 -j DROP

Anti-pattern: `bind 0.0.0.0` + `protected-mode no` — exposes Redis to the whole network without protection.

Optional but recommended: rename or disable destructive commands so a compromised client can't trash the DB:
rename-command FLUSHALL "" rename-command DEBUG "" rename-command CONFIG ""

See [references/network.md](references/network.md).
iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 6379 -j DROP

反模式:`bind 0.0.0.0` + `protected-mode no`——无保护地将Redis暴露给整个网络。

可选但推荐的操作:重命名或禁用破坏性命令,防止被攻陷的客户端破坏数据库:
rename-command FLUSHALL "" rename-command DEBUG "" rename-command CONFIG ""

参考 [references/network.md](references/network.md)。

References

参考资料