Fix: bind Redis to localhost

[runa]

Having it bound to the public addresses is a security problem.
See http://antirez.com/news/96

[arikfr]

Thanks!

[matangover]

I just found out my re:dash server was compromised multiple times last month because it used the previous (default) configuration which didn't include the 'bind' directive -- apparently some botnets (specifically XorDDOS) are going around taking advantage of this redis 'feature'. See e.g. here. I was not aware that leaving the redis port open to the world creates a security hole. With the fixed configuration by @runa (thanks!), it wouldn't be a problem for new installations, even if the redis port is left open.

Is there any way to alert current users of older re:dash versions (before v0.8.2.b1181) about this?

[arikfr]

Unfortunately there is no way to really reach everyone, but I will mention this on the mailing list with the next update.

[matangover]

Great. Thanks.