Exposed Redis (Port 6379)
detect, harden, and verify closure

Cloud security group rule too broad

An AWS security group, Azure NSG, GCP firewall rule, or DigitalOcean firewall opens TCP 6379 to 0.0.0.0/0 during a Terraform run, a migration, a debug session, a vendor handoff, or a recovery exercise. The rule is never narrowed, and a public Redis listener persists across image rebuilds, autoscaling events, Sentinel failover, replica promotion, and account migrations. Managed offerings (ElastiCache, MemoryDB, Azure Cache for Redis, Memorystore) inherit the deployment defaults of whoever provisioned them, including peering routes that reach the wrong VPC.

requirepass and AUTH ACL unset

redis-server is started with no requirepass directive, no ACL user definitions, and protected-mode left at the legacy default that turns off when a non-loopback bind is configured. Docker quickstart images, Helm chart defaults, vendor appliances, and bare apt-get installs all ship without an authentication step. The first client connecting becomes a de facto admin. AUTH ACL was added in Redis 6 but is rarely configured beyond the default user, so leavers, rotated services, and rotated humans share the same credential.

bind set to 0.0.0.0 by default

Older Redis defaults bound to 0.0.0.0, and self-hosted deployments still inherit that pattern through legacy redis.conf files, Compose files, Helm chart values, vendor templates, and home-grown installs. Modern builds default to 127.0.0.1, but a single bind line in redis.conf or a single REDIS_PASSWORD-less environment variable in a Compose file restores the broad bind quickly. Sentinel and Cluster bus traffic on TCP 16379 and 26379 is frequently left open even when the data port is narrowed.

Outdated Redis build

Long-lived virtual machines, frozen container images, vendor-distributed appliances, and home-grown installs run a Redis release several years behind the upstream support window. End-of-life branches receive no security backports, and recent CVEs (including the Lua sandbox escape class, the LUA_SHIPPED expression evaluation flaws, the integer-overflow class in the HyperLogLog implementation, and the MODULE LOAD memory-corruption advisories) turn aged builds into immediate exposure events. Long-lived persistent storage means flushing the instance does not flush the version.

Dangerous commands left enabled

CONFIG, DEBUG, MODULE, SLAVEOF, REPLICAOF, EVAL, EVALSHA, FUNCTION, FLUSHALL, FLUSHDB, KEYS, BGSAVE, and BGREWRITEAOF remain available to any authenticated caller. Operators rarely use rename-command to disable or rename these in production, and the default user in AUTH ACL inherits +@all in the legacy quickstart. The CONFIG SET dir + dbfilename + SET + BGSAVE chain alone is sufficient for unauthenticated remote code execution on a host that runs Redis as a privileged user.

No TLS for client or replication traffic

Redis added TLS support in 6.0, but many deployments still serve plaintext on 6379 and replicate plaintext between primary and replica. Credentials, session tokens, application secrets, and customer data traverse the network in the clear. A passive observer on a shared VPC, a misrouted internal load balancer, a mirrored switch port, or a compromised hop reads the entire workload without ever needing to brute-force AUTH.

Automated detection

• SecPortal's external scanner port-scan module probes TCP 6379 across every verified domain and host in scope, sends a PING probe to confirm the responding service is Redis, and raises a critical-severity finding under the rule that database and cache services should never be directly exposed to the internet. The Sentinel and Cluster bus ports on 16379 and 26379 are covered by the same sweep.
• Continuous monitoring re-runs the external scan on a schedule, so a security-group edit, a Terraform apply, a Sentinel failover, an autoscale event, a managed-cache public-endpoint flag, or a recovered backup host that re-exposes 6379 reopens the finding rather than leaving the regression invisible until the next audit cycle.
• Bulk import accepts Nessus, Burp, and CSV output from network-tier scanners and from Shodan and Censys exports that already list exposed Redis listeners, so the catalogue stays centralised even when a third-party tool is the original discovery source.

Manual verification

• Use nmap -p 6379,16379,26379 with service detection (-sV) and the redis-info script against the external range to confirm the listener, the engine version, the role (master or replica), and whether AUTH is required.
• Run redis-cli -h target -p 6379 PING against each reachable listener. A +PONG without an AUTH challenge is the definitive signal of an unauthenticated listener. Follow with INFO server, INFO replication, CLIENT LIST, and CONFIG GET dir to read the build identifier, the replication topology, and the persistence path.
• Cross-reference the Redis build banner against the Redis release notes, the Redis security advisory page, and the CISA Known Exploited Vulnerabilities catalogue to identify whether any unpatched Redis CVE is present, including the Lua sandbox escape class and the MODULE LOAD memory-corruption advisories.
• Check Shodan and Censys for the organisation's netblocks and known hostnames to see whether external observatories already list exposed Redis instances and the banners they advertise, then reconcile that list against the verified-domain inventory inside the workspace.

Surface every Redis listener on one finding record

External scanning and bulk import land every exposed-Redis detection on the findings management record with CVSS, the discovered host, the captured PING response, the build identifier, the replication role, the scan timestamp, and the named owner so the catalogue is a single source of truth rather than a Shodan tab, a spreadsheet, and a Slack thread.

Inspect configuration drift through authenticated scans

Where the team has authorisation, the authenticated scanning path reads the responding service in more detail and pairs the result with the per-host hardening record. Credentials for authenticated runs live in encrypted credential storage scoped to a verified domain so the same Redis AUTH secret is not copied across spreadsheets, chat threads, and pull-request bodies.

Run remediation as a tracked workflow

Each finding flows through the remediation tracking workflow with severity, target close date, named owner, and the agreed compensating control (for example, an inbound source allowlist while the PrivateLink endpoint is provisioned, or a temporary firewall rule while AUTH ACL is stood up). Permanent exceptions enter the eight-field exception register with a named approver, a rationale, an effective period, and a renewal cadence.

Verify the fix with retest

Once the firewall rule, security-group edit, redis.conf change, host retirement, or migration to a managed-cache private endpoint completes, the retesting workflow re-runs the external scan, confirms the listener is gone or that the responding service now requires AUTH on a private interface, and stamps the closure with timestamped evidence rather than a verbal sign-off in a stand-up.

Catch regressions through continuous monitoring

Scheduled continuous monitoring re-scans of verified domains reopen the finding if Redis returns to the public internet, if the banner drops back to an end-of-life build, or if a new cloud account joins the estate with an open 6379. A Terraform apply, a Sentinel failover, an autoscaler refresh, or a recovered backup image does not silently reintroduce the exposure.

Pair with the broader exposure catalogue

Exposed Redis rarely shows up alone. The same host frequently exposes SSH misconfiguration, default credentials, cloud bucket misconfiguration, or sensitive data exposure. Treating Redis exposure as one finding inside a host-level posture review keeps the queue ordered against real residual risk rather than chasing isolated ports one at a time.

Carry the audit trail through closure

The activity log records who opened, scoped, remediated, and verified each exposed-Redis finding, so the next ISO 27001, SOC 2, PCI DSS, HIPAA, or cyber-insurance review reads the operating evidence from the record rather than from reconstructed memory, archived ticket exports, or screenshots taken weeks after the fact. The same record drives compliance tracking across the framework crosswalk.

Communicate posture in leadership language

When cache exposure sits inside a broader programme review, the Claude-drafted AI report composes a leadership-ready narrative from the open and closed findings, the remediation cadence, and the linked compliance evidence. The same record drives security leadership reporting without rebuilding the slide deck by hand each quarter.

Self-hosted Redis on cloud VMs

EC2, Compute Engine, Azure VM, and DigitalOcean droplet deployments of community-edition Redis make up the bulk of historic exposure events. Replace standing 0.0.0.0/0 security-group rules with private subnets, security-group source restrictions to application tiers, and managed bastion access for human operators. Move long-lived production workloads onto ElastiCache, MemoryDB, Azure Cache for Redis, or Memorystore where the network boundary is built in. Disable MODULE LOAD on every self-hosted instance unless a vetted module is required.

Managed Redis with permissive access

ElastiCache, MemoryDB, Azure Cache for Redis, Memorystore, Redis Enterprise Cloud, and Upstash all inherit the deployment defaults of whoever provisioned them. A public-access flag, a project-wide read role granted by accident, an unrotated programmatic API key, or a peering route that reaches the wrong VPC creates the same exposure pattern as a self-hosted listener. Bind every cluster to PrivateLink or VPC peering, enforce AUTH ACL with per-service ACL users, rotate access tokens quarterly, and use the managed service audit log as the source of truth for who connected when.

Containerised Redis in dev, test, and CI

Dockerised Redis instances inherit the official image defaults, environment-variable initialisation, and quickstart Compose files. A misrouted bridge network, a kubectl port-forward left running, an exposed service of type LoadBalancer, or an ingress-controller rule that catches more traffic than intended reopens 6379 quickly. Bake requirepass and AUTH ACL into the Helm chart, default to bind 127.0.0.1 in dev compositions, set protected-mode yes, and treat any LoadBalancer service for a cache as a finding to triage.

Legacy Redis on aged builds

Long-lived virtual machines, vendor-distributed appliances, customer-managed instances at acquired companies, and home-grown installs run a Redis release several years behind the upstream support window. End-of-life branches receive no security backports. Track these hosts on the finding record with the build identifier, the maintainer contact, and the upgrade path. Where the host cannot be upgraded immediately, isolate it behind a managed network access boundary, disable MODULE LOAD and the Lua-related commands outright, and document the residual risk decision in the exception register.