alert
The previous article "Advanced Spring+SpringMVC+MyBatis+easyUI Integration (9) Common Commands and Operations for Installing Redis and Redis under Linux" is mainly a brief introduction, aiming at the introduction and installation of redis and the simple use of the command line. Although it has been started and used normally, since all settings have not been changed, the default settings, default ports, default password-free... In fact, redis in its current state is equivalent to a streaking service. There are more or less some security flaws, if it is scanned or attacked by some people with ulterior motives, it is more troublesome.
redis password settings
The first way: set through the command line
//首先通过```redis-cli```进入redis,如果没有启动redis的话则需要先启动redis服务:
redis-cli
//查看当前redis有没有设置密码:
127.0.0.1:6379> config get requirepass
1) "requirepass"
2) ""
//requirepass参数为空,即未设置密码,重新设置密码为123:
127.0.0.1:6379> config set requirepass 123
OK
//设置之后再去操作会报错:无权限
127.0.0.1:6379> get author
(error) NOAUTH Authentication required.
127.0.0.1:6379> info
NOAUTH Authentication required.
//auth + 密码用来验证,授权通过则可以进行正常操作:
127.0.0.1:6379> auth 123
OK
127.0.0.1:6379> get author
(nil)
127.0.0.1:6379> info
# Server
redis_version:4.0.2
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:5e81d0ebc9709a8a
However, this method has a disadvantage. The current method of configuring the redis password is temporary and will not be permanently valid. If the redis restarts, the password will be invalid.
The second way: modify the redis.conffile
In the default configuration, it requirepassis annotated.
Modify the redis.conf configuration file
# requirepass foobared
requirepass 123 //指定密码123
If you want the configuration password to be permanently invalid, you need to find and modify the parameters in the redis configuration file redis.conf requirepass, save and restart the redis service, and the password will no longer be invalid due to restart.
Due to the strong concurrency capability of redis, just setting the password is not enough. The attacker may send a large number of password guessing requests in a short period of time, which is easy to brute force cracking. Therefore, it is recommended that the higher the password strength, the better. The password is displayed in plain text in the configuration file. So don't worry about yourself forgetting.
redis default port modification
Some services installed on the server often have a default port, and the default port of redis is 6379. Usually, I will modify the default port after installing some software, such as mysql port 3306, svn port 3690 or other Some default settings, I will slightly modify, this is just a personal habit, can not be used for reference.
Open the redis configuration file redis.conf, find the port setting item, change 6379 to the port you want to modify, and restart.
Prohibit random use of high-risk commands
rename-command FLUSHALL redisflushall # 重命名FLUSHALL命令
rename-command FLUSHALL "" # 禁用FLUSHALL命令
Similar commands are CONFIG and EVAL, etc.
Summarize
This article is a personal summary of redis security:
- Password setting is a must.
- As for some high-risk orders, it is also recommended to pay more attention and not to execute them arbitrarily.
- The modification of the default port is based on personal preference or the requirements of the project team, not necessarily.
First published on my personal blog , the new project demo address: perfect-ssm , login account: admin, password: 123456 
If you have any questions or have some good ideas, please leave me a message, and thank you for pointing out that there are problems in the project friend.
If you want to continue to learn about the project, you can view the entire series of articles on Spring+SpringMVC+MyBatis+easyUI integration series , or you can go to my GitHub repository or open source Chinese code repository to view the source code and project documentation.