@antirez of Redis here. The original idea was to stick to this original model of "care about your setup", but given the disaster of exposed Redis instances, since Redis 3.2 version, now Redis has a "protected mode" feature that basically means that when the server detects to be: 1) configured to listen to all interfaces. 2) Without any password set, it enters a special setup where connections from localhost works, but connection from external interfaces are accepted only to be served with a fixed reply "This is protected mode bla bla bla make sure you understand that this instance is not secure". The long message includes instructions on how to fix the setup ASAP in different ways (both secure and insecure ways) in order to re-allow access from external clients. So this should improve in the next months as people upgrade.
Slashdot Mirror
@antirez of Redis here. The original idea was to stick to this original model of "care about your setup", but given the disaster of exposed Redis instances, since Redis 3.2 version, now Redis has a "protected mode" feature that basically means that when the server detects to be: 1) configured to listen to all interfaces. 2) Without any password set, it enters a special setup where connections from localhost works, but connection from external interfaces are accepted only to be served with a fixed reply "This is protected mode bla bla bla make sure you understand that this instance is not secure". The long message includes instructions on how to fix the setup ASAP in different ways (both secure and insecure ways) in order to re-allow access from external clients. So this should improve in the next months as people upgrade.