How to deploy Redis Sentinel securely?

Question

We would like to implement Redis Sentinel but understand that we need to run Sentinel as root. According to security it is not a good idea to run it as a root. One more question, Do you have any resources or recommendations how to implement Redis Sentinel securely with best practices?Thanks for your support

We would like to securely deploy Redis Sentinel.

Answer 1

Somethings depend on your scenario and way of deployment, for example if you deploy redis sentinel using docker containers you should consider container security aspects. But in a general view point, consider following things:

• Enable data persistence to avoid data loss. Use Redis's RDB (snapshotting) or AOF (append-only file) for data durability. In Docker, you can use volumes to persist data across container restarts.
• Don't hardcode configuration(including password). Instead, pass it using environment variables or config files during runtime.
• Secure your Redis instances by enabling password authentication and regularly changing passwords.

requirepass COMPLEXpassword

• consider network policies to allow only necessary traffic to the server. e.g iptables rules (it could be more restrict to specific sources):

-A INPUT -p tcp -m state --state NEW -m tcp --dport 6379 -j ACCEPT -m comment --comment "Redis to Redis"

-A INPUT -p tcp -m state --state NEW -m tcp --dport 26379 -j ACCEPT -m comment --comment "Sentinel to Sentinel"

• Utilize ACLs (Access Control Lists) introduced in Redis 6.0 to restrict the commands that can be executed by clients. more info, e.g:

ACL SETUSER newuser +get +set -@all

• Disable Dangerous Commands: Disable commands that are potentially dangerous like FLUSHDB, FLUSHALL. e.g:

rename-command FLUSHALL ""

• Enable Redis TLS. Using TLS for network-level security comes with overhead but provides secure communication of data between servers.

Also I found these articles very useful. Link - Link