Redis listening on *:6379


(Andrew Lombardi) #1

hey guys, is there a simple way to ensure that redis is not listening outside of localhost?

whoopsie 24057  0.2  0.2  42444  2556 ?        Sl   Jan04   6:17 /usr/bin/redis-server *:6379

just got a security notice from DigitalOcean about redis being exposed to the outside world. Can we change that easily? I’m using the docker method of install


(Joe Seyfried) #2

Huh? Have you checked if this port is really reachable from the outside? On my host machine, I get

tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      26299/redis-server

while inside the docker container, there is indeed a

tcp        0      0 0.0.0.0:6379            0.0.0.0:*               LISTEN      -

(which does not matter, since Docker does not expose this port to the outside word)


(Andrew Lombardi) #3

Joe,

yes, I can telnet to 6379 from external.

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp6       0      0 :::6379                 :::*                    LISTEN

(Felix Freiberger) #4

Are you using the standard Docker install and based your container definition off of standalone.yml?


(Andrew Lombardi) #5

Yes, I believe so. This is my config:

/var/discourse/containers# more app.yml
# this is the base templates used, you can cut it down to include less functionality per container
templates:
  - "templates/cron.template.yml"
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/sshd.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ssl.template.yml"

# which ports to expose?
expose:
  - "80:80"   # fwd host port 80   to container port 80 (http)
  - "2222:22" # fwd host port 2222 to container port 22 (ssh)
  - "443:443" # fwd host port 443  to container port 443 (https)
  - "6379:6379" # fwd host port 6379 to container port 6379 (redis)

params:
  # git revision to run
  version: stable

env:
  # Number of web workers, the more workers you have the more
  #  memory will be consumed.
  # On 2GB setups we recommend 3-4 workers
  # On 1GB setups we recommend 2 workers
  # Default (3)
  #
  UNICORN_WORKERS: 2
  #
  #
  # comma-separated emails
  DISCOURSE_DEVELOPER_EMAILS: ''
  # CHANGE ME to your hostname
  DISCOURSE_HOSTNAME: 'societyalumni.com'
  # SET ME to your smtp server eg mandrill
  # don't forget to set mail
  DISCOURSE_SMTP_ADDRESS:           # (mandatory)
  DISCOURSE_SMTP_PORT:                         # (optional)
  DISCOURSE_SMTP_USER_NAME:       # (optional)
  DISCOURSE_SMTP_PASSWORD:  	# (optional)

# These containers are stateless, all the data is stored in /shared
volumes:
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared

# you may use the docker manager to upgrade and monitor your docker image
# UI will be visible at http://yoursite.com/admin/docker
hooks:
  after_code:
    - exec:
        cd: $home/plugins
        cmd:
          - mkdir -p plugins
          - git clone https://github.com/discourse/docker_manager.git
          - git clone https://github.com/discourse/discourse-tagging.git

# Remember, this is YAML syntax - you can only have one block with a name
run:
  - exec: echo "Beginning of custom commands"

  ## If you want to configure password login for root, uncomment and change:
  #- exec: apt-get -y install whois # for mkpasswd
  ## Use only one of the following lines:
  #- exec: /usr/sbin/usermod -p 'PASSWORD_HASH' root
  #- exec: /usr/sbin/usermod -p "$(mkpasswd -m sha-256 'RAW_PASSWORD')" root

  ## If you want to authorized additional users, uncomment and change:
  #- exec: ssh-import-id username
  #- exec: ssh-import-id anotherusername

  - exec: echo "End of custom commands"
  - exec: awk -F\# '{print $1;}' ~/.ssh/authorized_keys | awk 'BEGIN { print "Authorized SSH keys for this conta
iner:"; } NF>=2 {print $NF;}'

(Felix Freiberger) #6

Why are you including redis in the expose section?


(Sam Saffron) #8

I just committed a change that breaks the sample but makes it clearer how not to expose to public


(Andrew Lombardi) #9

thanks @sam that worked perfectly.