Tutorial

How To Install and Secure Redis on Ubuntu 20.04 [Quickstart]

Published on May 1, 2020

Manager, Developer Education

English
How To Install and Secure Redis on Ubuntu 20.04 [Quickstart]

Introduction

Redis is an in-memory key-value store known for its flexibility, performance, and wide language support. This quickstart tutorial demonstrates how to install, configure, and secure Redis on an Ubuntu 20.04 server.

Prerequisites

To complete this guide, you will need access to an Ubuntu 20.04 server that has a non-root user with sudo privileges and a firewall configured with ufw. You can set this up by following our Initial Server Setup guide for Ubuntu 20.04.

Step 1 — Installing and Configuring Redis

Begin by updating your local apt package cache:

  1. sudo apt update

Then install Redis by typing:

  1. sudo apt install redis-server

Next, open up the Redis configuration file with your preferred text editor:

  1. sudo nano /etc/redis/redis.conf

Inside the file, find the supervised directive which allows you to declare an init system to manage Redis as a service. Since you are running Ubuntu, which uses the systemd init system, change its value from no to systemd:

/etc/redis/redis.conf
. . .

# If you run Redis from upstart or systemd, Redis can interact with your
# supervision tree. Options:
#   supervised no      - no supervision interaction
#   supervised upstart - signal upstart by putting Redis into SIGSTOP mode
#   supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
#   supervised auto    - detect upstart or systemd method based on
#                        UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready."
#       They do not enable continuous liveness pings back to your supervisor.
supervised systemd

. . .

Save and close the file when you are finished. If you used nano to edit the file, do so by pressing CTRL + X, Y, then ENTER.

Then, restart the Redis service to reflect the changes you made to the configuration file:

  1. sudo systemctl restart redis.service

To test that Redis is functioning correctly, connect to the server using redis-cli, Redis’s command-line client:

  1. redis-cli

In the prompt that follows, test connectivity with the ping command:

  1. ping
Output
PONG

This output confirms that the server connection is active. Next, check that you’re able to set keys by running:

  1. set test "It's working!"
Output
OK

Retrieve the value by typing:

  1. get test

Assuming everything is working, you will be able to retrieve the value you stored:

Output
"It's working!"

After confirming that you can fetch the value, exit the Redis prompt to get back to the shell:

  1. exit

Step 2 — Configuring a Redis Password

You can configure a Redis password directly in Redis’s configuration file, /etc/redis/redis.conf. Open that file again with your preferred editor:

  1. sudo nano /etc/redis/redis.conf

Scroll to the SECURITY section and look for a commented directive that reads:

/etc/redis/redis.conf
. . .
# requirepass foobared
. . .

Uncomment it by removing the #, and change foobared to a secure password:

/etc/redis/redis.conf
. . .
requirepass your_redis_password
. . .

After setting the password, save and close the file, then restart Redis:

  1. sudo systemctl restart redis.service

To test that the password works, open up the Redis client:

  1. redis-cli

The following shows a sequence of commands used to test whether the Redis password works. The first command tries to set a key to a value before authentication:

  1. set key1 10

That won’t work because you didn’t authenticate, so Redis returns an error:

Output
(error) NOAUTH Authentication required.

The next command authenticates with the password specified in the Redis configuration file:

  1. auth your_redis_password

Redis acknowledges:

Output
OK

After that, running the previous command again will succeed:

  1. set key1 10
Output
OK

get key1 queries Redis for the value of the new key.

  1. get key1
Output
"10"

After confirming that you’re able to run commands in the Redis client after authenticating, you can exit redis-cli:

  1. quit

Step 3 — Renaming Dangerous Commands

The other security feature built into Redis involves renaming or completely disabling certain commands that are considered dangerous. Some of the commands that are considered dangerous include: FLUSHDB, FLUSHALL, KEYS, PEXPIRE, DEL, CONFIG, SHUTDOWN, BGREWRITEAOF, BGSAVE, SAVE, SPOP, SREM, RENAME, and DEBUG. By disabling or renaming these and other commands, you make it more difficult for unauthorized users to reconfigure, destroy, or otherwise wipe your data.

To rename or disable Redis commands, open the configuration file once more:

  1. sudo nano /etc/redis/redis.conf

Warning: The following steps showing how to disable and rename commands are examples. You should only choose to disable or rename the commands that make sense for you. You can review the full list of commands for yourself and determine how they might be misused at redis.io/commands.

To disable a command, simply rename it to an empty string (signified by a pair of quotation marks with no characters between them), as shown below:

/etc/redis/redis.conf
. . .
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
. . .

To rename a command, give it another name as shown in the examples below. Renamed commands should be difficult for others to guess, but easy for you to remember:

/etc/redis/redis.conf
. . .
# rename-command CONFIG ""
rename-command SHUTDOWN SHUTDOWN_MENOT
rename-command CONFIG ASC12_CONFIG
. . .

Save your changes and close the file.

After renaming a command, apply the change by restarting Redis:

  1. sudo systemctl restart redis.service

To test the new command, enter the Redis command line:

  1. redis-cli

Then authenticate:

  1. auth your_redis_password
Output
OK

Assuming that you renamed the CONFIG command to ASC12_CONFIG as in the preceding example, try using the original CONFIG command. It should fail, because you’ve renamed it:

  1. config get requirepass
Output
(error) ERR unknown command `config`, with args beginning with:

Calling the renamed command, however, will be successful. It is not case-sensitive:

  1. asc12_config get requirepass
Output
1) "requirepass" 2) "your_redis_password"

Conclusion

In this quickstart tutorial, you installed and configured Redis, validated that your Redis installation is functioning correctly, and used its built-in security features to make it less vulnerable to attacks from malicious actors.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors
Default avatar

Manager, Developer Education

Technical Writer @ DigitalOcean

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
1 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

pam_unix(sudo:auth): Couldn’t open /etc/securetty: No such file or directory

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.