Redis: CONFIG GET requirepass Returns Empty

The default configuration

Redis binds to all interfaces (bind 0.0.0.0) and requires no password (requirepass is empty). If port 6379 is reachable, you have full access. There's no concept of users, roles, or permissions in default Redis.

What's in a Redis instance

Redis is used as a cache, session store, message broker, and rate limiter. A typical exposed instance contains:

• Session tokens. full session objects with user IDs, roles, and preferences
• API cache. cached API responses containing user data
• Rate limit counters. revealing internal rate limit thresholds
• Job queues. Sidekiq/Bull/Celery job payloads with function arguments

From cache access to server compromise

Redis supports the CONFIG SET command, which can change server configuration at runtime. The classic attack chain:

1. CONFIG SET dir /root/.ssh
2. CONFIG SET dbfilename authorized_keys
3. SET payload "\nssh-rsa AAAA...your-key...\n"
4. BGSAVE

This writes your SSH public key into the root user's authorized_keys file. You now have SSH root access to the server.

The same technique works with cron jobs (/var/spool/cron/root) and web shells (/var/www/html/shell.php).

How we detect this

Our scanner:

1. Connects to port 6379 and sends PING (expects PONG)
2. Runs INFO server to get version, OS, and configuration
3. Runs CONFIG GET requirepass to verify no password
4. Runs DBSIZE and KEYS * (sampled) to assess data exposure

Defense

• Set a strong password: requirepass your-strong-password-here
• Bind to localhost only: bind 127.0.0.1
• Disable dangerous commands: rename-command CONFIG ""
• Enable TLS (Redis 6+)
• Use ACLs (Redis 6+) for per-user permissions