Redis disable dangerous command

Keywords: Redis Database

1: Dangerous commands cannot be used on Redis

1:keys *

Although the fuzzy matching function is very convenient and powerful to use, there is no problem in the case of small amount of data. The amount of data will cause Redis lock and CPU surge. It is recommended to disable or rename in the production environment!

2:flushdb

Delete all records in the current database in Redis, and this command will never fail

3:flushall

Delete all records in all databases in Redis, not only the current database, and this command will never fail.

4:config

The client can modify Redis configuration.

2: How to disable or rename dangerous commands

1: Look at the redis.conf default configuration file and find the SECURITY area, as shown below:

################################## SECURITY ###################################

# Require clients to issue AUTH <PASSWORD> before processing any other
# commands.  This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared

# Command renaming.
#
# It is possible to change the name of dangerous commands in a shared
# environment. For instance the CONFIG command may be renamed into something
# hard to guess so that it will still be available for internal-use tools
# but not available for general clients.
#
# Example:
#
# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
# rename-command CONFIG ""
#
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to slaves may cause problems.

See the instructions. Add the rename command configuration to achieve the security purpose.

2: Disable command

rename-command KEYS     ""
rename-command FLUSHALL ""
rename-command FLUSHDB  ""
rename-command CONFIG   ""

3: Rename command

rename-command KEYS     "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
rename-command FLUSHALL "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
rename-command FLUSHDB  "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
rename-command CONFIG   "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

The XX above can define a new command name or use random characters instead.
After the above settings, the dangerous command will not be executed by the client

Posted by TheNookie on Wed, 25 Dec 2019 12:38:55 -0800