redishoneypotreconexposure DOCKER KIT

26 Seconds. That's All It Took.

I stood up a honeypot with a default Redis config and exposed it. My first unauthorized connection came in 26 seconds.

April 20, 2026 · 7 min read
// POST 02

I knew it would be fast. I didn’t know it would be that fast.

The setup was simple: a DigitalOcean droplet, a stock Redis install, port 6379 open to the world, no auth. I started Wireshark, noted the timestamp, and waited. 26 seconds later — a connection. Not a port scan ping. An actual Redis command.

*1
$4
PING

Someone — or something — had found my IP, connected to Redis, and sent a PING. By the time I made coffee, there were 14 unique source IPs in my capture file.

Why Redis?

Redis ships with auth disabled by default. The assumption is that it lives behind a firewall, on localhost, or inside a private network. A reasonable assumption — until it isn’t.

The problem: Redis isn’t just a cache. It can write files. To disk. Anywhere the process has permission. A common attack chain:

  1. Connect to exposed Redis
  2. CONFIG SET dir /root/.ssh
  3. CONFIG SET dbfilename authorized_keys
  4. SET pwn "ssh-rsa AAAA... attacker@host"
  5. BGSAVE

You now have SSH access. Without ever guessing a password.

This isn’t theoretical. This is a documented attack that has owned thousands of production servers. The Redis docs even call it out explicitly.

What the Traffic Looked Like

Within the first 10 minutes, I saw:

  • PING sweeps — automated scanners checking if the service is live
  • INFO commands — fingerprinting: Redis version, OS, connected clients, memory
  • CONFIG GET — reading the config to understand what’s writable
  • Keyspace dumpsKEYS * to see if there’s anything valuable

None of these are subtle. All of them are things a real attacker would do within the first minute of access.

FACT

Over 30,000 Redis instances are exposed to the public internet with no authentication. Most of their owners don't know.

The Shodan Factor

I didn’t advertise the IP anywhere. Nobody knew it existed. So how did they find it?

Shodan. Automated scanners — some commercial, some run by threat actors — continuously sweep the entire IPv4 space. New IPs appear on Shodan within minutes of being allocated. My honeypot was visible to the world before I finished setting it up.

The lesson: the internet is not a dark room. The moment you turn something on, someone sees it.

Try It Yourself

The Docker kit below sets up a vulnerable Redis honeypot and a capture tool. You can watch the attack traffic in real time — or just replay the capture from my session.

DOCKER KIT — run this and watch attackers find you in real time:

docker run --rm -it -p 6379:6379 ayfr/lab-26s

Inside the container:

  • Redis running on 0.0.0.0:6379 with no auth
  • tcpdump capturing all traffic to /captures/redis.pcap
  • A script that replays my actual honeypot session: replay-attack.sh
# Once the container is running, in another terminal:
docker exec -it ayfr-lab-26s /bin/bash
cat /captures/redis.pcap | ./replay-attack.sh

You’ll see the exact sequence of commands an automated scanner sends the moment it finds an open Redis port.

The Fix

# /etc/redis/redis.conf

# Bind to localhost only — never 0.0.0.0 in production
bind 127.0.0.1

# Require a strong password
requirepass "use-a-real-password-not-this"

# Disable dangerous commands
rename-command CONFIG ""
rename-command DEBUG ""
rename-command FLUSHALL ""

Or: don’t expose Redis to the internet. Use a private network. Use a VPN. Use a firewall. Use anything.

26 seconds is not a lot of time to make a mistake.