Redis: protected-mode no and default binding to world

Redis serves as a swiss-army-knife for all things data, queue, logs and more. This means it is more than probable that data in Redis is sensitive and requires proper security around it.

Redis is currently configured to listen to 0.0.0.0. Binding to world (0.0.0.0) can be dangerous in cases where the hosting machine is exposed, and in general it indicates a non-minimal security posture which can cause other unexpected exposures.

Since you have protected-mode no your Redis instance is vulnerable. It is strongly recommended to set protected-mode yes

Problem

In redis.conf:

protected-mode no

Fix

In redis.conf:

protected-mode yes

See