A little while ago, I read a post about the insecurity of Redis. It was mainly about the fact that most Redis installation or totally open to the outside world, without any authentication.
When I read that, I immediately looked at our servers, and it turned out, some of them had the same problem. Redis was open for the outside world.
The main problem is that by default Redis is insecure, they don't block outside traffic, and they don't urge you to set up AUTH for your installation.
It's very simple to make sure you are secure. All you have to do is to bind the listen IP to
127.0.0.1 instead of the outside world!
Is my installation insecure?
It's easy to find out! You can do so by running the following command:
$ telnet your_ip 6379
If you see the following text, your server is insecure!
Trying your_ip... Connected to your_ip. Escape character is '^]'.
Steps to make your installation secure
- Go to
- Open the config file
$ vi 6379.conf
- Find the line
# bind 127.0.0.1Uncomment that line, and save the file
- Restart your redis service
$ /etc/init.d/redis_6379 restart