Redis service publicly accessible

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1133-external-remote-services

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when multiple external connections are made to the port for Redis (6379).

Strategy

Production instances of Redis should not be publicly accessible. Incoming connections from multiple public IP addresses indicate an exposed instance.

Triage and response

  1. Review all events for connections from unexpected IP addresses.
  2. Move the Redis service to a private network.
  3. Review Related Signals and relevant logs for additional malicious activity.

This detection is based on data from Network Performance Monitoring.