How to Restrict Redis Port 6379 to Localhost Only on Ubuntu Server for Secure Internal Access


4 views

When running Redis (which defaults to port 6379) on a production server, it's crucial to prevent unauthorized external access while maintaining local connectivity. Redis wasn't designed with robust security features out of the box, so proper network-level restrictions are essential.

The simplest way to restrict Redis access is through Ubuntu's built-in firewall:

sudo ufw allow from 127.0.0.1 to any port 6379
sudo ufw deny 6379
sudo ufw enable

This configuration:

  1. Allows localhost connections
  2. Blocks all other incoming traffic to port 6379
  3. Activates the firewall rules

Edit the Redis configuration file directly:

sudo nano /etc/redis/redis.conf

Find and modify these lines:

bind 127.0.0.1
protected-mode yes

Then restart Redis:

sudo systemctl restart redis-server

For more granular control, use iptables:

sudo iptables -A INPUT -p tcp -s 127.0.0.1 --dport 6379 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6379 -j DROP
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Test from both local and remote machines:

# Local test (should work)
redis-cli -h 127.0.0.1 ping

# Remote test (should fail)
redis-cli -h your_server_ip ping

For mission-critical deployments, consider additional measures:

  • Implement Redis AUTH password protection
  • Set up SSH tunneling for remote administration
  • Configure firewalls at the cloud provider level (AWS Security Groups, etc.)
  • Regularly audit your network rules with sudo netstat -tulnp | grep 6379

Redis running on default port 6379 is a common attack vector when exposed to the internet. While Redis needs to be accessible for local applications, we should restrict external connections to prevent unauthorized access and potential data breaches.

The simplest method for Ubuntu systems is using UFW:

sudo ufw allow from 127.0.0.1 to any port 6379
sudo ufw deny 6379
sudo ufw enable

This configuration specifically allows localhost while blocking all other connections.

For more granular control, use IPTables directly:

sudo iptables -A INPUT -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6379 -j DROP
sudo iptables-save | sudo tee /etc/iptables/rules.v4

This creates a persistent rule that only permits localhost connections to port 6379.

As an additional security measure, modify Redis configuration:

sudo nano /etc/redis/redis.conf

Find and change these lines:

bind 127.0.0.1
protected-mode yes

After implementing these changes, test the configuration:

# Test local connection (should work)
redis-cli ping

# Test remote connection (should fail)
telnet your_server_ip 6379

Consider these extra measures for production environments:

  • Implement Redis authentication (requirepass in redis.conf)
  • Change the default Redis port
  • Set up TLS encryption for Redis connections
  • Implement proper firewall rules for all exposed services