Redis Ports: Configuration, Security & Setup Guide 2026

⏱️ Reading time: ~10 minutes | 📅 Updated: December 7, 2025

One misconfigured port — and your server is open to the world

Redis handles millions of requests per second, stores user sessions, caches data for instant access. But there's a problem: by default, Redis listens on port 6379 without any authentication. Hackers know this and scan the internet 24/7.

In 2025, approximately 40,000 Redis servers were publicly accessible without a password. The result — stolen data, cryptominers on servers, destroyed databases. All because of a misconfigured port.

This guide covers how to properly configure Redis ports in 2026: from basic configuration to production-ready security with ACL and TLS. Whether you're running Redis on a VPS or dedicated server, this knowledge will protect your data.

Redis: an in-memory database

Redis (Remote Dictionary Server) is an in-memory database that stores everything in RAM. While traditional databases read from disk in 10-15 milliseconds, Redis delivers data in microseconds.

How it works

Traditional databases store data on disk and read it with every request. Redis keeps everything in RAM — hence the speed. Disk is only used for persistence (saving data on restart).

Clients (your website, application, API) connect to Redis through a network port. By default, this is port 6379. The server constantly listens on this port, ready to accept commands: store a key, retrieve a value, add an element to a list.

Redis 8: what's new in 2025-2026

Redis 8 is the biggest update in history:

• Up to 87% faster — command latency reduced for 90+ operations
• 2x throughput — thanks to improved I/O multithreading
• Vector Sets — native vector search support for AI/ML
• JSON native — RedisJSON module now built-in
• Up to 67% RAM savings — optimized JSON and number storage

Redis Ports: which one does what

Redis uses several ports for different functions. Understanding each is key to proper configuration.

Port 6379: the main port

This is the standard port known by every client library — Python redis-py, Node.js ioredis, PHP Predis. When you write redis.connect() without parameters, the connection goes here.

Problem: 6379 is the first port hackers scan. Shodan shows tens of thousands of open Redis servers daily.

Port 16379: Cluster Bus

When Redis runs in cluster mode, nodes communicate with each other through port 16379 (main port + 10000). This is an internal protocol for data synchronization and slot distribution.

Important: This port should never be accessible from the internet — only between cluster nodes.

Port 26379: Sentinel

Redis Sentinel provides High Availability — monitors the master node and automatically switches to replica if master fails. Sentinel listens on port 26379 for coordination with other Sentinel instances.

Redis Port Security: 6 layers of protection

An unprotected Redis is not a question of "if it gets hacked" but "when". Here's what you need to configure.

1. Bind: limit interfaces

By default, Redis can listen on all network interfaces. This is dangerous.

# redis.conf — listen only on localhost
bind 127.0.0.1
# Or specific private IP
bind 127.0.0.1 10.0.0.5
# DANGEROUS — listen on all
# bind 0.0.0.0

2. Protected Mode: built-in protection

Redis 3.2+ has protected mode — if there's no password and bind isn't configured, the server rejects external connections.

# redis.conf — always enabled
protected-mode yes

3. ACL instead of requirepass: granular control

The old requirepass is one password for everyone. ACL (Access Control Lists) from Redis 6+ allows creating users with different permissions.

# redis.conf — creating users with ACL
# Disable default user without password
user default off
# Admin with full access
user admin on >SuperStr0ngP@ssw0rd ~* +@all
# Read-only user
user readonly on >R3adOnlyP@ss ~cached:* +@read -@dangerous
# Application user — limited commands
user webapp on >W3bAppP@ss ~session:* ~cache:* +get +set +del +expire

ACL syntax explained:

• on/off — activate/deactivate user
• >password — set password
• ~pattern — access to keys by pattern
• +command — allow command
• -@category — deny command category

4. TLS: traffic encryption

Redis 6+ supports native TLS. Mandatory for production, especially if traffic goes over the network.

# redis.conf — TLS configuration
# Use TLS on port 6379, disable unencrypted
tls-port 6379
port 0
# Certificates
tls-cert-file /etc/redis/tls/redis.crt
tls-key-file /etc/redis/tls/redis.key
tls-ca-cert-file /etc/redis/tls/ca.crt
# Require client certificates (optional but recommended)
tls-auth-clients yes
# Minimum TLS version
tls-protocols "TLSv1.2 TLSv1.3"

5. Firewall: network-level restriction

Even with all Redis settings configured, firewall is mandatory.

# UFW — allow Redis only from specific IPs
sudo ufw allow from 10.0.0.0/24 to any port 6379
sudo ufw deny 6379
# iptables — same thing
iptables -A INPUT -p tcp --dport 6379 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

6. Dangerous commands: rename or disable

Some commands can destroy data or compromise the server.

# redis.conf — protecting dangerous commands
# Completely disable
rename-command FLUSHALL ""
rename-command FLUSHDB ""
rename-command DEBUG ""
# Or rename to something complex
rename-command CONFIG "CONFIG_b4ckd00r_pr0t3ct"
rename-command SHUTDOWN "SHUTDOWN_s3cur3_2026"

Changing Redis Port: step-by-step guide

Changing the standard port 6379 to a custom one is one way to complicate automated attacks. This doesn't replace other security measures but adds another layer of protection.

Step 1: Find the configuration file

# Typical locations
/etc/redis/redis.conf          # Debian/Ubuntu
/etc/redis.conf                # CentOS/RHEL
/usr/local/etc/redis.conf      # macOS (Homebrew)
# Find the file
sudo find / -name redis.conf 2>/dev/null

Step 2: Change the port in configuration

# Open the file
sudo nano /etc/redis/redis.conf
# Find the line (approximately line 98)
port 6379
# Change to new port
port 6380

Step 3: Update firewall

# UFW
sudo ufw allow 6380/tcp
sudo ufw delete allow 6379/tcp
# iptables
sudo iptables -A INPUT -p tcp --dport 6380 -j ACCEPT
sudo iptables -D INPUT -p tcp --dport 6379 -j ACCEPT

Step 4: Restart Redis

# Systemd
sudo systemctl restart redis
# Or
sudo service redis-server restart

Step 5: Verify it works

# Connect through new port
redis-cli -p 6380 ping
# Expected response: PONG
# Check that server is listening
sudo netstat -tlnp | grep redis
# tcp  0  0  127.0.0.1:6380  0.0.0.0:*  LISTEN  1234/redis-server

Step 6: Update all clients

Don't forget to update connections in all applications!

# Python
import redis
r = redis.Redis(host='localhost', port=6380)
# PHP
$redis = new Redis();
$redis->connect('127.0.0.1', 6380);
# Node.js
const Redis = require('ioredis');
const redis = new Redis({ port: 6380 });

Running multiple Redis instances on one server

Often you need to separate Redis for different tasks: one for cache, another for sessions, a third for queues. Each instance runs on its own port.

Creating separate configurations

# Copy configuration for each instance
sudo cp /etc/redis/redis.conf /etc/redis/redis-cache.conf
sudo cp /etc/redis/redis.conf /etc/redis/redis-session.conf
sudo cp /etc/redis/redis.conf /etc/redis/redis-queue.conf

Configuring each instance

# /etc/redis/redis-cache.conf
port 6379
pidfile /var/run/redis/redis-cache.pid
logfile /var/log/redis/redis-cache.log
dir /var/lib/redis-cache
dbfilename dump-cache.rdb
# /etc/redis/redis-session.conf
port 6380
pidfile /var/run/redis/redis-session.pid
logfile /var/log/redis/redis-session.log
dir /var/lib/redis-session
dbfilename dump-session.rdb
# /etc/redis/redis-queue.conf
port 6381
pidfile /var/run/redis/redis-queue.pid
logfile /var/log/redis/redis-queue.log
dir /var/lib/redis-queue
dbfilename dump-queue.rdb

Systemd services for each instance

# /etc/systemd/system/redis-cache.service
[Unit]
Description=Redis Cache Instance
After=network.target
[Service]
ExecStart=/usr/bin/redis-server /etc/redis/redis-cache.conf
ExecStop=/usr/bin/redis-cli -p 6379 shutdown
Restart=always
User=redis
Group=redis
[Install]
WantedBy=multi-user.target

# Activating services
sudo systemctl daemon-reload
sudo systemctl enable redis-cache redis-session redis-queue
sudo systemctl start redis-cache redis-session redis-queue
# Verification
sudo systemctl status redis-cache
redis-cli -p 6379 ping  # cache
redis-cli -p 6380 ping  # session
redis-cli -p 6381 ping  # queue

Typical Redis use cases

Redis has long outgrown simple caching. Here's what it's used for.

1. Caching (classic)

Storing results of heavy queries, API responses, rendered pages. Reduces main database load by 70-90%.

# Python caching example
import redis
import json
r = redis.Redis(host='localhost', port=6379)
def get_user(user_id):
    # Try to get from cache
    cached = r.get(f"user:{user_id}")
    if cached:
        return json.loads(cached)
    
    # If not found — query database (use parameterized queries!)
    user = db.query("SELECT * FROM users WHERE id = %s", (user_id,))
    
    # Save to cache for 1 hour
    r.setex(f"user:{user_id}", 3600, json.dumps(user))
    return user

2. User sessions

100+ times faster than file-based sessions. Perfect for distributed systems with multiple servers.

3. Rate Limiting

Limiting request count — API abuse protection.

# Rate limiter: 100 requests per minute
def is_rate_limited(user_ip):
    key = f"rate:{user_ip}"
    current = r.incr(key)
    
    if current == 1:
        r.expire(key, 60)  # TTL 60 seconds
    
    return current > 100

4. Real-time leaderboards

Sorted Sets — the perfect structure for rankings with instant updates.

# Update player score
r.zadd("leaderboard:game1", {"player123": 5000})
# Top 10 players
top10 = r.zrevrange("leaderboard:game1", 0, 9, withscores=True)
# Specific player's rank
rank = r.zrevrank("leaderboard:game1", "player123")

5. Pub/Sub and message queues

Real-time communication between services, chats, notifications.

6. AI/ML: Vector Search (Redis 8+)

New trend 2025-2026 — Redis as a vector database for AI applications.

# Semantic caching for LLM
# Instead of exact match — search for semantically similar queries
# Up to 30% savings on OpenAI/Claude API calls
# Vector Sets in Redis 8 (syntax may change)
VADD embeddings doc1 VECTOR [0.1, 0.2, 0.3, ...]
VSIM embeddings VECTOR [0.15, 0.22, 0.28, ...] COUNT 5

7. Geolocation

Finding nearest objects — restaurants, taxis, stores.

# Add location
r.geoadd("restaurants", 30.5234, 50.4501, "restaurant:1")
# Find restaurants within 5 km radius
nearby = r.georadius("restaurants", 30.52, 50.45, 5, unit="km")

Client libraries: connecting to Redis

Connection examples for popular programming languages.

Python (redis-py)

import redis
# Basic connection
r = redis.Redis(host='localhost', port=6379, db=0)
# With password (ACL)
r = redis.Redis(
    host='localhost',
    port=6379,
    username='webapp',
    password='W3bAppP@ss'
)
# With TLS
r = redis.Redis(
    host='redis.example.com',
    port=6379,
    ssl=True,
    ssl_certfile='/path/to/client.crt',
    ssl_keyfile='/path/to/client.key',
    ssl_ca_certs='/path/to/ca.crt'
)
# Connection Pool (recommended for production)
pool = redis.ConnectionPool(
    host='localhost',
    port=6379,
    max_connections=50
)
r = redis.Redis(connection_pool=pool)

PHP (Predis / phpredis)

// Predis
$client = new Predis\Client([
    'scheme' => 'tcp',
    'host'   => '127.0.0.1',
    'port'   => 6379,
    'password' => 'your_password'
]);
// With TLS
$client = new Predis\Client([
    'scheme' => 'tls',
    'host'   => 'redis.example.com',
    'port'   => 6379,
    'ssl'    => ['verify_peer' => true]
]);
// phpredis extension (faster)
$redis = new Redis();
$redis->connect('127.0.0.1', 6379);
$redis->auth(['webapp', 'W3bAppP@ss']); // ACL username + password

Node.js (ioredis)

const Redis = require('ioredis');
// Basic connection
const redis = new Redis({
    host: 'localhost',
    port: 6379
});
// With ACL
const redis = new Redis({
    host: 'localhost',
    port: 6379,
    username: 'webapp',
    password: 'W3bAppP@ss'
});
// With TLS
const redis = new Redis({
    host: 'redis.example.com',
    port: 6379,
    tls: {
        cert: fs.readFileSync('/path/to/client.crt'),
        key: fs.readFileSync('/path/to/client.key'),
        ca: fs.readFileSync('/path/to/ca.crt')
    }
});
// Cluster mode
const cluster = new Redis.Cluster([
    { host: 'node1', port: 6379 },
    { host: 'node2', port: 6379 },
    { host: 'node3', port: 6379 }
]);

Go (go-redis)

import "github.com/redis/go-redis/v9"
// Basic connection
rdb := redis.NewClient(&redis.Options{
    Addr:     "localhost:6379",
    Username: "webapp",
    Password: "W3bAppP@ss",
    DB:       0,
})
// With TLS
rdb := redis.NewClient(&redis.Options{
    Addr:     "redis.example.com:6379",
    TLSConfig: &tls.Config{
        MinVersion: tls.VersionTLS12,
    },
})

Redis Monitoring

Redis CLI: basic diagnostics

# Connect
redis-cli -h localhost -p 6379
# Check connection
PING
# Response: PONG
# Full server information
INFO
# Memory only
INFO memory
# Clients only
INFO clients
# Command statistics
INFO commandstats

Key metrics to monitor

Slow Log: find slow commands

# redis.conf — log commands slower than 10ms
slowlog-log-slower-than 10000
slowlog-max-len 128
# View slow log
redis-cli SLOWLOG GET 10

Redis Insight: GUI for monitoring

Free tool from Redis for visual monitoring, data browsing, and debugging.

Troubleshooting: common Redis port problems

Connection refused

Redis is not running or listening on a different port/interface.

# Check if Redis is running
sudo systemctl status redis
# Check which port it's listening on
sudo netstat -tlnp | grep redis
# Check bind in configuration
grep "^bind" /etc/redis/redis.conf

DENIED Redis is running in protected mode

Redis rejects connections from external IPs without a password.

Solution: Configure ACL or bind to a specific IP.

NOAUTH Authentication required

Redis requires authentication but the client didn't provide a password.

# Connect with password
redis-cli -a 'your_password'
# Or with ACL username
redis-cli --user webapp --pass 'W3bAppP@ss'

Address already in use (port occupied)

Another process is already using port 6379.

# Find process on port
sudo lsof -i :6379
# Or
sudo fuser 6379/tcp
# Terminate process
sudo kill -9 <PID>

Can't connect through firewall

Firewall is blocking connections to Redis port.

# UFW status
sudo ufw status verbose
# Allow port
sudo ufw allow from 10.0.0.0/24 to any port 6379
# iptables check
sudo iptables -L -n | grep 6379

TLS handshake failed

Problem with certificates or TLS configuration.

# Check certificates
openssl x509 -in /etc/redis/tls/redis.crt -text -noout
# Check connection
openssl s_client -connect localhost:6379
# Make sure redis.conf has correct paths
grep "tls-" /etc/redis/redis.conf

Production Checklist: Redis 2026

Use this checklist before deploying Redis to production.

🔐 Security

• ☐ bind configured for specific IPs (not 0.0.0.0)
• ☐ protected-mode yes
• ☐ ACL configured, default user disabled
• ☐ TLS enabled for external connections
• ☐ Firewall blocks port 6379 from outside
• ☐ Dangerous commands renamed or disabled
• ☐ Strong passwords (min. 32 characters)

💾 Memory and persistence

• ☐ maxmemory set (no more than 70-80% of server RAM)
• ☐ maxmemory-policy configured (volatile-lru for cache)
• ☐ RDB or AOF configured for persistence
• ☐ Backup script runs daily

📊 Monitoring

• ☐ Alerts for memory usage > 80%
• ☐ Alerts for evicted keys > 0
• ☐ Slow log enabled
• ☐ Metrics exported to monitoring system

🚀 Performance

• ☐ tcp-keepalive 300
• ☐ Connection pooling in clients
• ☐ Pipelining for batch operations
• ☐ Large keys split (avoid > 10MB values)

🔄 High Availability

• ☐ Replication configured (min. 1 replica)
• ☐ Sentinel or Cluster mode for automatic failover
• ☐ Failover test passed

FAQ: Common questions about Redis ports

What port does Redis use by default?

Redis uses port 6379 for client connections. Additionally: 16379 for cluster bus (communication between cluster nodes) and 26379 for Sentinel (monitoring and failover).

Is it safe to leave Redis on port 6379?

Port 6379 itself isn't the problem. The problem is open access without authentication. If you have ACL, TLS, firewall, and bind configured to localhost or private IP — port 6379 is completely safe.

How do I change the Redis port?

Edit redis.conf, change the port 6379 value to your desired port (for example, 6380), restart Redis, and update firewall and all client connections.

Is TLS necessary for Redis?

Mandatory — if traffic goes over a public network or between different servers. Optional — if Redis and client are on the same server (localhost). Redis 6+ supports native TLS without stunnel.

Which is better: requirepass or ACL?

ACL (Redis 6+) is always better. It allows creating different users with different permissions — one for reading, another for writing, a third for administration. requirepass is one password for everyone, without granular control.

How many Redis instances can run on one server?

As many as you want, if you have enough RAM. Each instance needs its own port (6379, 6380, 6381...), configuration file, PID file, and data directory. Practically, 3-5 instances per server is a typical configuration.

What to do if Redis won't start — "Address already in use"?

The port is already occupied by another process. Find it with sudo lsof -i :6379 and either terminate the process or change Redis to a different port.

How do I find out which port Redis is running on?

Several ways:

• redis-cli INFO server | grep tcp_port
• sudo netstat -tlnp | grep redis
• grep "^port" /etc/redis/redis.conf