Redis is fast and simple, but unsafe defaults or open network exposure can cause full data compromise. Harden Redis before production use.
In redis.conf:
bind 127.0.0.1 10.0.30.15
port 6379
protected-mode yes
6379 private.port 0Use ACL-based authentication (Redis 6+):
aclfile /etc/redis/users.acl
Example ACL:
user app on >strong-password ~app:* +@read +@write -@admin
user admin on >admin-password allcommands allkeys
user monitor on >monitor-password +@admin +@read ~* -set -del -flushdb -flushall
Enable TLS for secure connections:
tls-port 6380
port 0 # Disable non-TLS port in production
tls-cert-file /etc/redis/tls/server.crt
tls-key-file /etc/redis/tls/server.key
tls-ca-cert-file /etc/redis/tls/ca.crt
tls-auth-clients yes
tls-protocols "TLSv1.2 TLSv1.3"
tls-ciphers "DEFAULT:!MEDIUM"
tls-prefer-server-ciphers yes
# TLS certificate-based automatic client authentication (Redis 8.6+)
repl-diskless-sync-delay 5
Limit high-risk commands (for legacy deployments) or ACL them out:
rename-command FLUSHALL ""
rename-command CONFIG ""
rename-command DEBUG ""
rename-command SHUTDOWN ""
ACLs are preferred because they are more granular.
chmod 600 /var/lib/redis/*chown redis:redisredis user.latency-monitor-threshold to detect performance anomalies.HOTKEYS command (Redis 8.6+).[Service]
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
slowlog-log-slower-than 1000 (microseconds)slowlog-max-len 128