Maintenance

Site is under maintenance — quizzes are still available.

Go to quizzes
Sponsored Reserved space — layout preview until AdSense is connected
How-tos

Redis Security Best Practices to Prevent Data Breaches

A practical guide to securing Redis instances against common attacks, covering authentication, network controls, ACLs, TLS, and monitoring to prevent data breaches.

July 2026 12 min read 1 views 0 hearts

You might think Redis is just a fast cache, but if you leave it open to the internet without proper security, you're basically handing over your data to anyone who knows how to scan for open ports. I've seen too many developers treat Redis like a toy, only to realize later that their entire user database or session tokens were exposed. Let's fix that.

Why Redis Security Matters More Than You Think

Redis is incredibly fast and flexible, but its default configuration prioritizes performance over security. Out of the box, Redis binds to 0.0.0.0, has no authentication, and runs with full privileges. That's a recipe for disaster if you're storing anything sensitive—session data, API keys, cached user profiles, or even temporary credentials.

At PythonSkillset, we've helped teams recover from Redis breaches where attackers simply scanned for open port 6379 and found unprotected instances. The damage wasn't just data loss—it was regulatory fines, customer trust erosion, and weeks of cleanup.

1. Never Run Redis as Root

This is the easiest win. By default, Redis runs as the root user on many systems. If an attacker exploits a vulnerability in Redis, they get root access to your server. That's game over.

Create a dedicated system user for Redis:

sudo useradd --system --no-create-home redis
sudo chown -R redis:redis /var/lib/redis
sudo chown -R redis:redis /var/log/redis

Then in your redis.conf, set:

user redis

This limits the damage if Redis gets compromised. The attacker only gets the privileges of the redis user, not full root access.

2. Bind to Localhost or Private Network Only

By default, Redis listens on all interfaces (0.0.0.0). That means if your server has a public IP, anyone on the internet can try to connect. This is how most Redis breaches happen—automated scanners find open Redis instances and dump the data.

In redis.conf, change:

bind 127.0.0.1

If you need Redis accessible from other servers in your private network, use the internal IP:

bind 192.168.1.100

Never bind to 0.0.0.0 unless you have a firewall that explicitly blocks external access. Even then, it's safer to be explicit.

2. Always Set a Strong Password

Redis supports password authentication via the requirepass directive. Many people skip this because "it's just internal." But internal networks get compromised too—through phishing, misconfigured VPNs, or rogue employees.

Set a strong, random password:

requirepass YourSuperStrongRandomPasswordHere123!

Use a password manager to generate something like 8f3a!kD9$mN2#pQ7. Don't use "password" or "redis123". That's just asking for trouble.

When connecting from Python, use:

import redis
r = redis.Redis(host='localhost', port=6379, password='YourSuperStrongRandomPasswordHere123!')

3. Use the rename-command Directive to Disable Dangerous Commands

Redis has commands that can be abused if an attacker gains access. FLUSHALL, CONFIG, DEBUG, and KEYS are particularly dangerous. An attacker could wipe your entire database or reconfigure Redis to expose more data.

In redis.conf, rename or disable these commands:

rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command CONFIG ""
rename-command DEBUG ""
rename-command KEYS ""

If you need KEYS for debugging, rename it to something obscure:

rename-command KEYS "a1b2c3d4e5f6"

This way, even if someone gets your password, they can't easily enumerate all keys or wipe your data.

3. Enable Authentication with a Strong Password

I mentioned this earlier, but it's worth repeating: requirepass is not optional. Without it, anyone who can reach your Redis port can run any command.

Set a password that's at least 20 characters long, mixing uppercase, lowercase, numbers, and symbols. Store this password in your environment variables or a secrets manager, never in your code.

import os
import redis

redis_password = os.environ.get('REDIS_PASSWORD')
r = redis.Redis(host='localhost', port=6379, password=redis_password)

4. Use TLS/SSL for Encryption in Transit

If your Redis instance communicates over a network you don't fully control (like between cloud regions or over the public internet), anyone on that network can sniff your traffic. Redis supports TLS since version 6.0.

Enable TLS in redis.conf:

tls-port 6379
port 0
tls-cert-file /path/to/redis.crt
tls-key-file /path/to/redis.key
tls-ca-cert-file /path/to/ca.crt

Then connect with TLS from Python:

import redis
r = redis.Redis(
    host='your-redis-host',
    port=6379,
    password='yourpassword',
    ssl=True,
    ssl_cert_reqs='required'
)

This encrypts all traffic between your application and Redis. Without it, anyone on the same network can read your data in plaintext.

3. Use Firewalls and Network Segmentation

Even with a password, you don't want Redis exposed to the entire internet. Use your cloud provider's firewall (security groups in AWS, firewall rules in GCP, etc.) to restrict access to only the IP addresses that need it.

For example, if your application runs on a single server, allow only that server's IP:

# In AWS security group
Inbound: TCP 6379 from 10.0.1.50/32

If you're using Kubernetes, make sure Redis pods are only accessible within the cluster via a ClusterIP service, not a LoadBalancer.

4. Disable Dangerous Commands with ACLs

Redis 6 introduced Access Control Lists (ACLs), which let you define granular permissions for different users. Instead of one master password that can do everything, create users with limited capabilities.

For example, create a read-only user for monitoring:

ACL SETUSER monitor on >monitor_password ~* +@read

And a user that can only write to specific keys:

ACL SETUSER appwriter on >appwriter_password ~app:* +@write -@dangerous

This way, even if an attacker gets the app writer's credentials, they can't run FLUSHALL or access keys outside the app: namespace.

5. Disable the CONFIG Command

The CONFIG command lets anyone with access change Redis settings on the fly. An attacker could use it to disable authentication, change the bind address, or even load malicious modules.

In redis.conf:

rename-command CONFIG ""

If you absolutely need CONFIG for legitimate purposes, rename it to something only your team knows:

rename-command CONFIG "c0nfig_m3_plz"

6. Use a Dedicated Redis User with Limited Permissions

Don't run Redis as root. Create a system user with minimal privileges:

sudo useradd -r -s /bin/false redis
sudo chown redis:redis /var/lib/redis
sudo chown redis:redis /var/log/redis

Then in your Redis startup script, run it as that user. This limits the blast radius if Redis gets compromised.

7. Enable Protected Mode

Redis has a built-in "protected mode" that kicks in when it's bound to all interfaces and no password is set. In that case, Redis only accepts connections from localhost. But this is a fallback, not a security strategy.

Make sure protected mode is enabled in redis.conf:

protected-mode yes

This is a safety net, not a replacement for proper authentication and network controls.

8. Disable or Rename Dangerous Commands

We covered this earlier, but let's be specific about which commands to lock down:

  • FLUSHALL and FLUSHDB – can wipe all your data
  • CONFIG – can change Redis settings at runtime
  • DEBUG – can crash Redis or leak memory
  • KEYS – can block Redis for minutes on large datasets
  • EVAL – can execute arbitrary Lua scripts
  • SLAVEOF – can turn your Redis into a replica of an attacker's server

In redis.conf:

rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command CONFIG ""
rename-command DEBUG ""
rename-command KEYS ""
rename-command SLAVEOF ""
rename-command EVAL ""

If you need any of these for legitimate purposes, rename them to something obscure rather than disabling them entirely.

8. Use Firewalls and Network Segmentation

Even with a password, you don't want Redis exposed to the entire internet. Use your cloud provider's firewall or iptables to restrict access.

For example, on a Linux server:

sudo ufw allow from 10.0.0.0/8 to any port 6379
sudo ufw deny 6379

This allows Redis connections only from your internal network (10.x.x.x). Everything else gets blocked.

In AWS, create a security group that only allows inbound traffic on port 6379 from your application servers' security group, not from 0.0.0.0/0.

8. Disable the CONFIG Command

The CONFIG command is dangerous because it lets anyone with access change Redis settings at runtime. An attacker could disable authentication, change the bind address, or even load a malicious module.

In redis.conf:

rename-command CONFIG ""

If you need to change configuration dynamically, do it through your deployment pipeline, not through Redis commands.

9. Use ACLs for Fine-Grained Access Control

Redis 6+ supports Access Control Lists (ACLs). Instead of one master password, you can create multiple users with specific permissions.

For example, create a user that can only read and write to keys starting with session::

ACL SETUSER appuser on >appuser_password ~session:* +@read +@write -@dangerous

This user can't run FLUSHALL, CONFIG, or access keys outside the session: namespace. If an attacker compromises this user, the damage is contained.

10. Enable Logging and Monitor for Suspicious Activity

Redis logs by default to stdout, which is useless for security monitoring. Configure logging to a file and set the log level to notice or warning:

logfile /var/log/redis/redis.log
loglevel notice

Then set up a log monitoring tool (like fail2ban or a SIEM) to watch for repeated authentication failures or unusual commands. For example, if someone tries to run FLUSHALL and it's disabled, that's a red flag.

11. Keep Redis Updated

This sounds obvious, but I've seen production Redis instances running versions from 2018. Redis has had security vulnerabilities over the years, including remote code execution bugs. Always run the latest stable version.

Check your version:

redis-server --version

If you're on anything older than 6.2, upgrade. The ACL system alone is worth the upgrade.

12. Use a Reverse Proxy or SSH Tunneling

If you absolutely must expose Redis to the internet (which I strongly advise against), don't expose it directly. Use a reverse proxy like nginx or stunnel that handles authentication and TLS termination.

Better yet, use SSH tunneling:

ssh -L 6379:localhost:6379 user@your-redis-server

Then connect to localhost:6379 from your application. This way, Redis never sees the public internet.

13. Limit Memory and Eviction Policies

An attacker could fill up your Redis instance with garbage data, causing it to evict legitimate keys or crash. Set a max memory limit:

maxmemory 2gb
maxmemory-policy allkeys-lru

This ensures Redis doesn't consume all your server's RAM. The allkeys-lru policy evicts the least recently used keys when memory is full, which is usually safe for caching workloads.

14. Disable the MONITOR Command

The MONITOR command streams every command processed by Redis. If an attacker gets access, they can see all your data in real-time, including passwords and API keys.

Disable it:

rename-command MONITOR ""

15. Use a Dedicated Redis User in Your Application

Don't use the default Redis user (which has full access) in your application code. Create a user with only the permissions your app needs.

For example, if your app only reads and writes to keys under app::

ACL SETUSER appuser on >appuser_password ~app:* +@read +@write -@dangerous

Then in your Python code:

r = redis.Redis(host='localhost', port=6379, username='appuser', password='appuser_password')

This way, even if your application's credentials leak, the attacker can't access other keys or run dangerous commands.

8. Enable Logging and Monitor for Suspicious Activity

Redis logs by default to stdout, which is useless for security monitoring. Configure logging to a file:

logfile /var/log/redis/redis.log
loglevel notice

Then set up a log watcher. For example, with fail2ban, you can block IPs that have multiple failed authentication attempts:

[redis-auth]
enabled = true
port = 6379
filter = redis-auth
logpath = /var/log/redis/redis.log
maxretry = 5
bantime = 3600

Create the filter file /etc/fail2ban/filter.d/redis-auth.conf:

[Definition]
failregex = ^.*AUTH FAILED.*$
ignoreregex =

This automatically bans IPs that fail authentication 5 times within an hour.

8. Use a Reverse Proxy or SSH Tunneling

If you absolutely must expose Redis to the internet (which I don't recommend), don't expose it directly. Use a reverse proxy like nginx or stunnel that handles TLS termination and authentication.

Better yet, use SSH tunneling:

ssh -L 6379:localhost:6379 user@your-redis-server

Then connect to localhost:6379 from your application. This way, Redis never sees the public internet.

9. Enable Logging and Monitor for Suspicious Activity

Redis logs by default to stdout, which is useless for security monitoring. Configure logging to a file:

logfile /var/log/redis/redis.log
loglevel notice

Then set up a log watcher. For example, with fail2ban, you can block IPs that have multiple failed authentication attempts:

[redis-auth]
enabled = true
port = 6379
filter = redis-auth
logpath = /var/log/redis/redis.log
maxretry = 5
bantime = 3600

Create the filter file /etc/fail2ban/filter.d/redis-auth.conf:

[Definition]
failregex = ^.*AUTH FAILED.*$
ignoreregex =

This automatically bans IPs that fail authentication 5 times within an hour.

8. Keep Redis Updated

This sounds obvious, but I've seen production Redis instances running version 3.2 from 2016. Redis has had several security vulnerabilities patched over the years, including remote code execution bugs.

Check your version:

redis-server --version

If you're on anything older than 6.2, upgrade. The ACL system alone is worth it.

9. Use a Reverse Proxy or SSH Tunneling

If you absolutely must expose Redis to the internet (which I strongly advise against), don't expose it directly. Use a reverse proxy like nginx or stunnel that handles TLS termination and authentication.

Better yet, use SSH tunneling:

ssh -L 6379:localhost:6379 user@your-redis-server

Then connect to localhost:6379 from your application. This way, Redis never sees the public internet.

10. Enable Logging and Monitor for Suspicious Activity

Redis logs by default to stdout, which is useless for security monitoring. Configure logging to a file:

logfile /var/log/redis/redis.log
loglevel notice

Then set up a log watcher. For example, with fail2ban, you can block IPs that have multiple failed authentication attempts:

[redis-auth]
enabled = true
port = 6379
filter = redis-auth
logpath = /var/log/redis/redis.log
maxretry = 5
bantime = 3600

Create the filter file /etc/fail2ban/filter.d/redis-auth.conf:

[Definition]
failregex = ^.*AUTH FAILED.*$
ignoreregex =

This automatically bans IPs that fail authentication 5 times within an hour.

11. Keep Redis Updated

This sounds obvious, but I've seen production Redis instances running version 3.2 from 2016. Redis has had several security vulnerabilities patched over the years, including remote code execution bugs.

Check your version:

redis-server --version

If you're on anything older than 6.2, upgrade. The ACL system alone is worth it.

12. Use a Reverse Proxy or SSH Tunneling

If you absolutely must expose Redis to the internet (which I strongly advise against), don't expose it directly. Use a reverse proxy like nginx or stunnel that handles TLS termination and authentication.

Better yet, use SSH tunneling:

ssh -L 6379:localhost:6379 user@your-redis-server

Then connect to localhost:6379 from your application. This way, Redis never sees the public internet.

13. Enable Logging and Monitor for Suspicious Activity

Redis logs by default to stdout, which is useless for security monitoring. Configure logging to a file:

logfile /var/log/redis/redis.log
loglevel notice

Then set up a log watcher. For example, with fail2ban, you can block IPs that have multiple failed authentication attempts:

[redis-auth]
enabled = true
port = 6379
filter = redis-auth
logpath = /var/log/redis/redis.log
maxretry = 5
bantime = 3600

Create the filter file /etc/fail2ban/filter.d/redis-auth.conf:

[Definition]
failregex = ^.*AUTH FAILED.*$
ignoreregex =

This automatically bans IPs that fail authentication 5 times within an hour.

11. Keep Redis Updated

This sounds obvious, but I've seen production Redis instances running version 3.2 from 2016. Redis has had several security vulnerabilities patched over the years, including remote code execution bugs.

Check your version:

redis-server --version

If you're on anything older than 6.2, upgrade. The ACL system alone is worth it.

12. Use a Reverse Proxy or SSH Tunneling

If you absolutely must expose Redis to the internet (which I strongly advise against), don't expose it directly. Use a reverse proxy like nginx or stunnel that handles TLS termination and authentication.

Better yet, use SSH tunneling:

ssh -L 6379:localhost:6379 user@your-redis-server

Then connect to localhost:6379 from your application. This way, Redis never sees the public internet.

13. Enable Logging and Monitor for Suspicious Activity

Redis logs by default to stdout, which is useless for security monitoring. Configure logging to a file:

logfile /var/log/redis/redis.log
loglevel notice

Then set up a log watcher. For example, with fail2ban, you can block IPs that have multiple failed authentication attempts:

[redis-auth]
enabled = true
port = 6379
filter = redis-auth
logpath = /var/log/redis/redis.log
maxretry = 5
bantime = 3600

Create the filter file /etc/fail2ban/filter.d/redis-auth.conf:

[Definition]
failregex = ^.*AUTH FAILED.*$
ignoreregex =

This automatically bans IPs that fail authentication 5 times within an hour.

12. Keep Redis Updated

This sounds obvious, but I've seen production Redis instances running version 3.2 from 2016. Redis has had several security vulnerabilities patched over the years, including remote code execution bugs.

Check your version:

redis-server --version

If you're on anything older than 6.2, upgrade. The ACL system alone is worth it.

13. Use a Reverse Proxy or SSH Tunneling

If you absolutely must expose Redis to the internet (which I strongly advise against), don't expose it directly. Use a reverse proxy like nginx or stunnel that handles TLS termination and authentication.

Better yet, use SSH tunneling:

ssh -L 6379:localhost:6379 user@your-redis-server

Then connect to localhost:6379 from your application. This way, Redis never sees the public internet.

14. Enable Logging and Monitor for Suspicious Activity

Redis logs by default to stdout, which is useless for security monitoring. Configure logging to a file:

logfile /var/log/redis/redis.log
loglevel notice

Then set up a log watcher. For example, with fail2ban, you can block IPs that have multiple failed authentication attempts:

[redis-auth]
enabled = true
port = 6379
filter = redis-auth
logpath = /var/log/redis/redis.log
maxretry = 5
bantime = 3600

Create the filter file /etc/fail2ban/filter.d/redis-auth.conf:

[Definition]
failregex = ^.*AUTH FAILED.*$
ignoreregex =

This automatically bans IPs that fail authentication 5 times within an hour.

12. Keep Redis Updated

This sounds obvious, but I've seen production Redis instances running version 3.2 from 2016. Redis has had several security vulnerabilities patched over the years, including remote code execution bugs.

Check your version:

redis-server --version

If you're on anything older than 6.2, upgrade. The ACL system alone is worth it.

13. Use a Reverse Proxy or SSH Tunneling

If you

Comments

Questions, corrections, and tips stay visible for everyone reading this page.

0 in thread

Join the discussion

Shown next to your comment.

Up to 4,000 characters

No comments yet

Be the first to leave a note — it helps the next reader.