Redis Server Unprotected by Password Authentication

Vulnerability: Redis Server Unprotected by Password Authentication

Severity: High

Description: The Redis server running on the remote host is not protected by password authentication. A remote attacker can exploit this to gain unauthorized access to the server.

Solution: Enable the ‘requirepass’ directive in the redis.conf configuration file.

Steps

Log in to the server using SSH. Putty can be used for this.

Verify that Redis is running:

redis-cli

Open the Redis configuration file for editing:

nano /etc/redis/redis.conf

If the file is not found in that path, check

 /etc/redis.conf

If the file is not found in that path as well, enter the following to search for the configuration file (ensure you are in the root folder when searching):

locate redis.conf

Configure a Redis password:

When the file has been opened for editing using nano, scroll to the SECURITY section and look for a commented directive that reads:

# requirepass foobared

If this is not found manually, use CTRL+W to search for

requirepass

Uncomment the line and enter a password of your choice so that it looks like

requirepass passwordofyourchoice2021

Save the config file and exit

Restart the redis-server

sudo service redis-server restart

For Windows

navigate to

C:\Program Files\Redis.

Open the redis.conf or redis-windows.conf

Edit the requirepass line, same as with the Linux stated above.

Uncomment the line and enter a password of your choice so that it looks like

requirepass passwordofyourchoice2021

Save the config file and exit