[mikecmpbll]

Just been hacked through this method and cannot believe how redis can ship with such ridiculously insecure defaults, and that they don't even MENTION the security concerns from the quickstart guide, which is what the majority of people would use to get redis installed and set up.

http://redis.io/topics/quickstart

Unbelievable.

[omni]

> such ridiculously insecure defaults

Like having port 6379 be open to anyone who happens to wander by? Your firewall was horribly configured and you got burned, take this as a learning opportunity to fix your mistakes.

[mikecmpbll]

exactly, but one wrong doesn't excuse another. just because I didn't have my firewall configured correctly doesn't mean software that I use should a) have insecure defaults and b) not make a song and dance about them on the page designed to get you up and running with it.

[greyboy]

> Just been hacked through this method and cannot believe

> ... that they don't even MENTION the security

> concerns from the quickstart guide>

> http://redis.io/topics/quickstart

??

Like the 'Securing Redis' section from that link?

Securing Redis

==============

By default Redis binds to all the interfaces and has no authentication at all. ...

1) Make sure the port Redis uses to listen for connections is firewalled...

2) Use a configuration file where the bind directive is set ... [to] as little network interfaces you are using...

3) Use the requirepass option ...

4) Use spiped or another SSL tunnelling software...

[mikecmpbll]

antirez added that section after I mentioned that it was lacking on the comments section of this article, see http://www.antirez.com/news/96#comment-2351969000