Skip to content

Hardening Redis and Valkey

Redis is designed to be reached only by trusted clients on a trusted network. Its own documentation is blunt about this: it is “usually not a good idea to expose the Redis instance directly to the internet.” The daemon has no meaningful defence against an attacker who can open a socket to it, and an unauthenticated instance is not merely a data leak — it is a reliable path to running code as the Redis user.

Almost all of the work here is deciding who can reach the port and what they are allowed to run once they do.

7 controls

This matters before anything else on this page, because you may not have what you think you have.

Redis changed licence in 2024, and since Redis 8.0 it ships under a tri-licence (AGPLv3, SSPLv1 or RSALv2). Debian, Ubuntu and Fedora cannot ship source-available software in their main repositories, and moved toward Valkey — a BSD-licensed fork of Redis OSS 7.2.4, now maintained under the Linux Foundation. So on a current Ubuntu or Debian host, “installing Redis” may well have given you Valkey.

Find out rather than assume:

Terminal window
redis-cli INFO server | grep -iE 'redis_version|valkey_version|server_name'
# or, if the redis-cli binary isn't there:
valkey-cli INFO server | grep -iE 'version|server_name'

Everything in this cluster applies to both. Valkey accepts Redis-style configuration and supports the Redis 7.2 directives, so the settings are the same. Two things differ:

Redis Valkey
Config file /etc/redis/redis.conf /etc/valkey/valkey.conf
CLI redis-cli valkey-cli
Service / user redis-server, redis valkey-server, valkey

Where a page below says redis.conf and redis-cli, substitute the Valkey path and binary if that is what you are running. Nothing else changes.

One file, no drop-in directory by default — unlike sshd, there is no conf.d precedence trap to worry about. But there is a different one:

CONFIG SET changes the running server without touching the file. A setting you changed at runtime is lost on restart, and a setting in the file may not be what the server is currently using. This is why every control here verifies with CONFIG GET against the running instance rather than by reading the file — and why CONFIG REWRITE exists to persist runtime changes back.

Redis has no lockout risk in the SSH sense — you are not authenticating interactively, and a mistake doesn’t strand you on the host. The risk here is different and worth stating plainly: these changes break applications.

Binding to an interface, requiring a password, or restricting commands will cut off any client that isn’t expecting it. Have the connection strings ready to update, and prefer a maintenance window over a live change.