A Full-Stack Developer‘s Guide to Securing Redis

As an in-memory data store renowned for its blistering speed, Redis has become a staple across high-traffic web applications. However, the same qualities that make Redis so fast — keeping everything in RAM, minimal processing overheads, and support for networked access — can allow crippling attacks if left unprotected.

In my decade securing Linux infrastructure and building cloud-native apps, I‘ve seen many cases where developers failed to adequately harden Redis instances. Hasty deployments and lack of security knowledge left organizations open to embarrassing breaches, disrupted services, and even ransomware worming through clusters.

It doesn‘t have to be this way. Redis provides powerful protections, if properly understood and configured. In this comprehensive guide for developers, I‘ll cover holistic steps for locking down Redis based on experience forged over countless long on-call nights resolving Redis-related incidents. Follow these best practices, and both your data‘s security and your blood pressure will thank you.

The Password Protection Imperative

The most obvious yet often neglected way to prevent unauthorized Redis access is requiring authentication passwords. According to cloud security surveys, over 20% of databases remain unprotected by passwords or encryption. Lack of passwords allows any local or even remote attacker to access and vandalize the data, or launch further attacks leveraging hijacked resources.

Attackers routinely scan cloud infrastructure for open databases, immediately compromising any unsecured instances discovered. Once taken over, these databases might be held for ransom, have politically motivated content inserted, be leveraged for illicit cryptomining operations, or sell access on hacker forums. Most Redis ransomware worms like KeyDB, Luckzor, and RediWorm expressly target instances without password protection enabled.

Enabling protected mode blocks remote attackers lacking the password, but still allows any local process to access Redis. Local threats range from curious sysadmin mistakes to malicious containers co-located in shared Kubernetes pods. Furthermore, passwords deter temptation for insider data theft. For these reasons, authenticated Redis access remains imperative even within internal or protected networks.

To mandate passwords, include the requirepass directive when configuring your Redis instance:

requirepass yourComplexPasswordHere!@#

This will force clients to issue an AUTH yourComplexPasswordHere!@# command after connecting but before issuing any other Redis commands. Configure your application code to supply the password upfront.

Choose passwords with high entropy – long and random mixtures of upper and lowercase letters, numbers, and symbols. Avoid common dictionary words and personal information that could be guessable. Rotating passwords periodically also helps limitexposure from leaked credentials.

With authentication in place, most external attacker scans will entirely skip past your Redis instance rather than waste cycles guessing.

Configuring Network Access Controls

Redis protected mode blocks networks outside local hosts, but falls short of completely containing network access. The local host itself may have other containers or processes that should not have Redis permissions. Furthermore, protected mode permits remote access once passwords are set, since it assumes the credentials provide adequate security. Additional limits must be set through Linux networking.

Firewall off all external Redis access, only allowing application servers that legitimately need Redis to connect. For example, allow connections from localhost, Kubernetes pod CIDRs, or VPC subnets holding your App Servers. But never expose Redis directly to the internet.

Here is an example iptables firewall ruleset allowing Redis access only from app servers at 192.168.60.0/24:

*filter

# Allow ping for health checks
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow SSH from developer CIDRs 
-A INPUT -p tcp -s 192.168.0.0/16 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow Redis traffic only from app servers
-A INPUT -p tcp -s 192.168.60.0/24 --dport 6379 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 6379 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Default deny all other access
-A INPUT -j DROP

COMMIT

Note this allows outgoing Redis access which many applications require for caching writes. Stateful inspection via conntrack allows returning traffic.

For Kubernetes deployments, leverage NetworkPolicy resources to enforce similar controls. Explicitly specify allowed source pods instead of wide open intra-cluster connectivity.

Firewalls and tight NetworkPolicies prevent compromised containers, functions, or microservices from attacking Redis. Apply the principle of least privilege with your network rules.

Configuring Access Controls

Even with networking limits, compromised application code risks injecting malicious Redis queries. Redis ACLs (Access Control Lists) further restrict connected clients to only authorized activities.

ACL functionality has been built into Redis since version 6.0. Older versions can emulate ACLs through Lua scripting.

Here is an example ACL policy allowing read-only access to the "cache:" prefix but denying dangerous KEY and CONFIG operations:

# Authenticated user ‘reader‘
ACL SETUSER reader on >reader-password

# Allow cache reads
ACL CAT categories
ACL CAT >cache:
ACL CAT cache:* >get,scan

# Deny KEY and CONFIG capabilities  
ACL CAT keyspace
ACL CAT key* -get,scan 
ACL CAT config -get

# Apply ACLs 
ACL LOAD

This forces restricted permissions tied to a specific user, with requests authenticated for each connection.

Appropriately limiting capabilities per microservice is essential to avoiding "confused deputy" attacks against Redis originating from application code.

Encrypting Network Traffic

Even with protected mode, firewalling, and ACLs, Redis normally transmits data unencrypted over the network. A bad actor able to man-in-the-middle the TCP session could both intercept registered passwords and see sensitive cached data.

Encrypting the Redis transport channel defends against password sniffing, session hijacking, MITM attacks inserting bad data, and prying eyes on shared networks.

The open-source tool stunnel conveniently wraps existing Redis connections with industry-standard TLS encryption:

# /etc/stunnel/redis.conf

[redis]
accept = 127.0.0.1:6380
connect = 127.0.0.1:6379
cert = /path/to/ssl.pem

Stunnel listens locally for secure TLS Redis traffic on port 6380 before forwarding decrypted to the actual Redis instance on standard port 6379. This adds transport encryption without any application or Redis changes.

Managed Redis offerings like AWS ElastiCache provide similar TLS capabilities.

For even stronger security, consider enabling Redis‘ Server-Side Encryption introduced in 6.0 to encrypt on-disk snapshots. Performance impact remains minimal.

Avoiding Resource Exhaustion

Even without directly accessing data, attackers can still overwhelm Redis servers through brute force authentication attempts or malicious input. Configuring resource quotas protects against these denial of service and resource exhaustion scenarios.

Enable maxmemory with headroom below total system RAM – say 70%. This caps Redis memory use to avoid system crashes:

maxmemory 300mb
maxmemory-policy allkeys-lru

Additionally, to prevent CPU spikes or connection floods from neutering service, enact connection limits and rate limiting:

maxclients 10000
client-output-buffer-limit pubsub 32mb 64mb 60

Set maxclients safely below your real traffic requirements with some room for spikes. Client buffers control how much bandwidth each client can consume.

Overall, avoiding Redis resource exhaustion prevents vulnerabilities where one bad actor could impair site reliability. Monitor usage levels and tune quotas to allow for real traffic peaks.

Final Thoughts

Like securing any powerful technology, configuring Redis requires foresight into how exposed capabilities could be abused. Unprotected Redis undermines application security just as easily as unpatched web servers or vulnerable JavaScript. Treat Redis security seriously, instrument operational visibility through logging, and keep configurations aligned with current best practices as outlined here.

What other native Redis techniques have you used to bolster security? Please share your lessons learned so we can all collectively uplift knowledge. With increasingly more web innovation built atop Redis, our shared duty remains upholding reliable, safe, and speedy application infrastructure.