Redis listening on *:6379

(Andrew Lombardi) #1

hey guys, is there a simple way to ensure that redis is not listening outside of localhost?

whoopsie 24057  0.2  0.2  42444  2556 ?        Sl   Jan04   6:17 /usr/bin/redis-server *:6379

just got a security notice from DigitalOcean about redis being exposed to the outside world. Can we change that easily? I’m using the docker method of install

(Joe Seyfried) #2

Huh? Have you checked if this port is really reachable from the outside? On my host machine, I get

tcp        0      0*               LISTEN      26299/redis-server

while inside the docker container, there is indeed a

tcp        0      0  *               LISTEN      -

(which does not matter, since Docker does not expose this port to the outside word)

(Andrew Lombardi) #3


yes, I can telnet to 6379 from external.

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp6       0      0 :::6379                 :::*                    LISTEN

(Felix Freiberger) #4

Are you using the standard Docker install and based your container definition off of standalone.yml?

(Andrew Lombardi) #5

Yes, I believe so. This is my config:

/var/discourse/containers# more app.yml
# this is the base templates used, you can cut it down to include less functionality per container
  - "templates/cron.template.yml"
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/sshd.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ssl.template.yml"

# which ports to expose?
  - "80:80"   # fwd host port 80   to container port 80 (http)
  - "2222:22" # fwd host port 2222 to container port 22 (ssh)
  - "443:443" # fwd host port 443  to container port 443 (https)
  - "6379:6379" # fwd host port 6379 to container port 6379 (redis)

  # git revision to run
  version: stable

  # Number of web workers, the more workers you have the more
  #  memory will be consumed.
  # On 2GB setups we recommend 3-4 workers
  # On 1GB setups we recommend 2 workers
  # Default (3)
  # comma-separated emails
  # CHANGE ME to your hostname
  # SET ME to your smtp server eg mandrill
  # don't forget to set mail
  DISCOURSE_SMTP_ADDRESS:           # (mandatory)
  DISCOURSE_SMTP_PORT:                         # (optional)
  DISCOURSE_SMTP_USER_NAME:       # (optional)

# These containers are stateless, all the data is stored in /shared
  - volume:
      host: /var/discourse/shared/standalone
      guest: /shared

# you may use the docker manager to upgrade and monitor your docker image
# UI will be visible at
    - exec:
        cd: $home/plugins
          - mkdir -p plugins
          - git clone
          - git clone

# Remember, this is YAML syntax - you can only have one block with a name
  - exec: echo "Beginning of custom commands"

  ## If you want to configure password login for root, uncomment and change:
  #- exec: apt-get -y install whois # for mkpasswd
  ## Use only one of the following lines:
  #- exec: /usr/sbin/usermod -p 'PASSWORD_HASH' root
  #- exec: /usr/sbin/usermod -p "$(mkpasswd -m sha-256 'RAW_PASSWORD')" root

  ## If you want to authorized additional users, uncomment and change:
  #- exec: ssh-import-id username
  #- exec: ssh-import-id anotherusername

  - exec: echo "End of custom commands"
  - exec: awk -F\# '{print $1;}' ~/.ssh/authorized_keys | awk 'BEGIN { print "Authorized SSH keys for this conta
iner:"; } NF>=2 {print $NF;}'

(Felix Freiberger) #6

Why are you including redis in the expose section?

(Sam Saffron) #8

I just committed a change that breaks the sample but makes it clearer how not to expose to public

(Andrew Lombardi) #9

thanks @sam that worked perfectly.