Renaming Dangerous Commands (Optional)

A common practice for securing Redis is renaming commands or disabling any possibly unsafe ones. Such commands are hazardous because any unauthorized users can use them and manipulate or even destroy all of the database data.

Keep in mind that this process is entirely optional, and you can decide whether you want to rename, disable, or leave the command active. In order to begin, open the /etc/redis/redis.conf file with your preferred editor. We will be using nano in this example:

sudo nano /etc/redis/redis.conf

Then, find the SECURITY section, where you can either rename or disable a command. In our example, we are renaming FLUSHALL, SHUTDOWN, DEL commands to CANTSEE_FLUSHALL, CANTGUESS_SHUTDOWN, CANTHEAR_DEL

We are also disabling DEBUG and CONFIG commands entirely:

Other possibly unsafe commands include RENAME, SAVE, SREM, FLUSHDB, PEXPIRE, and BGSAVE.

In order to test everything, restart the Redis service:

sudo systemctl restart redis.service

Then, log in to the Redis command-line client:

redis-cli

To test out a disabled command, you just need to try it. For example, testing out the DEBUG command should look like this:

An error will be shown because DEBUG command is disabled completely. Next, test out the renamed command. In our case, it’s FLUSHALL.

As you can see, FLUSHALL command doesn’t work, while our renamed one CANTSEE_FLUSHALL is working perfectly.