Redis service publicly accessible

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1133-external-remote-services

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when multiple external connections are made to the port for Redis (6379).

Strategy

Production instances of Redis should not be publicly accessible. Incoming connections from multiple public IP addresses indicate an exposed instance.

Triage and response

  1. Review all events for connections from unexpected IP addresses.
  2. Move the Redis service to a private network.
  3. Review Related Signals and relevant logs for additional malicious activity.

This detection is based on data from Network Performance Monitoring.