Make sure Redis is secure

A little while ago, I read a post about the insecurity of Redis. It was mainly about the fact that most Redis installation or totally open to the outside world, without any authentication.

When I read that, I immediately looked at our servers, and it turned out, some of them had the same problem. Redis was open for the outside world.

The main problem is that by default Redis is insecure, they don't block outside traffic, and they don't urge you to set up AUTH for your installation.

It's very simple to make sure you are secure. All you have to do is to bind the listen IP to 127.0.0.1 instead of the outside world!

Is my installation insecure?

It's easy to find out! You can do so by running the following command:
$ telnet your_ip 6379

If you see the following text, your server is insecure!

Trying your_ip...  
Connected to your_ip.  
Escape character is '^]'.  

Steps to make your installation secure

  1. Go to /etc/redis/
  2. Open the config file $ vi 6379.conf
  3. Find the line # bind 127.0.0.1 Uncomment that line, and save the file
  4. Restart your redis service $ /etc/init.d/redis_6379 restart

I hope this post allowed you to improve the security of your Redis server. If you have any questions, you can ping me on Twitter (@jvanbaarsen) or by
email (jeroen@firmhouse.com)