Redis service publicly accessible

Goal

Detect when multiple external connections are made to the port for Redis (6379).

Strategy

Production instances of Redis should not be publicly accessible. Incoming connections from multiple public IP addresses indicate an exposed instance.

Triage and response

  1. Review all events for connections from unexpected IP addresses.
  2. Move the Redis service to a private network.
  3. Review Related Signals and relevant logs for additional malicious activity.

This detection is based on data from Network Performance Monitoring.

PREVIEWING: may/unit-testing