From 6aa21a45c41b5151824f1c3a85bfd02f70d37015 Mon Sep 17 00:00:00 2001 From: Lior Kogan Date: Sun, 8 Jun 2025 08:42:33 +0300 Subject: [PATCH 1/3] Add future deprecation warning to rename-command --- .../oss_and_stack/management/security/_index.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/content/operate/oss_and_stack/management/security/_index.md b/content/operate/oss_and_stack/management/security/_index.md index d36a645853..9db78bb265 100644 --- a/content/operate/oss_and_stack/management/security/_index.md +++ b/content/operate/oss_and_stack/management/security/_index.md @@ -96,11 +96,11 @@ for two reasons: The goal of the authentication layer is to optionally provide a layer of redundancy. If firewalling or any other system implemented to protect Redis -from external attackers fail, an external client will still not be able to +from external attackers fails, an external client will still not be able to access the Redis instance without knowledge of the authentication password. Since the [`AUTH`](/commands/auth) command, like every other Redis command, is sent unencrypted, it -does not protect against an attacker that has enough access to the network to +does not protect against an attacker who has enough access to the network to perform eavesdropping. ## TLS support @@ -110,6 +110,11 @@ client connections, replication links, and the Redis Cluster bus protocol. ## Disallowing specific commands +{{< warning >}} +The method is no longer recommended and may be deprecated in future versions. +Instead, you should use ACL rules to disallow specific commands. +{{< /warning >}} + It is possible to disallow commands in Redis or to rename them as an unguessable name, so that normal clients are limited to a specified set of commands. @@ -137,7 +142,7 @@ algorithm complexity on data structures implemented inside Redis internals. An attacker could supply, via a web form, a set of strings that are known to hash to the same bucket in a hash table in order to turn the O(1) expected time (the average time) to the O(N) worst case. This can consume more -CPU than expected and ultimately cause a Denial of Service. +CPU than expected and ultimately causes a Denial of Service. To prevent this specific attack, Redis uses a per-execution, pseudo-random seed to the hash function. From ad7f07a5a249d420ffcc4ad77e7cd2fd87e89af5 Mon Sep 17 00:00:00 2001 From: Lior Kogan Date: Sun, 8 Jun 2025 08:46:14 +0300 Subject: [PATCH 2/3] Update _index.md --- content/operate/oss_and_stack/management/security/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/operate/oss_and_stack/management/security/_index.md b/content/operate/oss_and_stack/management/security/_index.md index 9db78bb265..cc58fe24c9 100644 --- a/content/operate/oss_and_stack/management/security/_index.md +++ b/content/operate/oss_and_stack/management/security/_index.md @@ -112,7 +112,7 @@ client connections, replication links, and the Redis Cluster bus protocol. {{< warning >}} The method is no longer recommended and may be deprecated in future versions. -Instead, you should use ACL rules to disallow specific commands. +Instead, use [ACL rules](/operate/oss_and_stack/management/security/acl/) to disallow specific commands. {{< /warning >}} It is possible to disallow commands in Redis or to rename them as an unguessable From 24f846e2b4f4be32972edb25552d2a0f735673f9 Mon Sep 17 00:00:00 2001 From: Lior Kogan Date: Sun, 8 Jun 2025 08:50:18 +0300 Subject: [PATCH 3/3] Update _index.md --- content/operate/oss_and_stack/management/security/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/operate/oss_and_stack/management/security/_index.md b/content/operate/oss_and_stack/management/security/_index.md index cc58fe24c9..dec6728f2c 100644 --- a/content/operate/oss_and_stack/management/security/_index.md +++ b/content/operate/oss_and_stack/management/security/_index.md @@ -111,7 +111,7 @@ client connections, replication links, and the Redis Cluster bus protocol. ## Disallowing specific commands {{< warning >}} -The method is no longer recommended and may be deprecated in future versions. +The method is deprecated and may be removed in future versions. Instead, use [ACL rules](/operate/oss_and_stack/management/security/acl/) to disallow specific commands. {{< /warning >}}