Tools: How To Install and Secure Redis on Ubuntu

By Mark Drake, Justin Ellingwood and Vinayak Baranwal Redis is an in-memory key-value store used for caching, session storage, pub/sub, and real-time data. In this tutorial you install Redis on Ubuntu, confirm it works with a quick test, then lock it down: bind to localhost only, require a password, and rename or disable dangerous commands so a mistake or an attacker can’t wipe or reconfigure your instance. The guide works on Ubuntu 22.04 and later LTS releases. When you’re ready, log in to your Ubuntu server as your sudo user and continue below. Before you begin, ensure you have: If you haven’t set this up yet, follow the Initial Server Setup guide for Ubuntu (works for Ubuntu 22.04 LTS and later). Once complete, log in as your non-root user to continue. Redis assumes trusted clients on a trusted network. It has no authentication or access control by default. If port 6379 is reachable from the internet, anyone can connect and run any command: wipe all data with FLUSHALL, change config with CONFIG SET, or (in older setups) abuse CONFIG SET dir and dbfilename to write files to disk and potentially gain shell access. Binding to localhost, setting a password, and renaming dangerous commands limits who can connect and what they can do. The official Redis security docs go deeper. Run these two commands to install Redis from the Ubuntu repositories (you get security updates via apt). Then set supervised systemd in /etc/redis/redis.conf so systemd manages Redis and can restart it if it crashes. Search for supervised (e.g. Ctrl+W in nano). It’s usually under the GENERAL section. Change supervised no to supervised systemd. That’s the only change needed for this step. Save and close the file, then restart Redis so the change takes effect: Check that Redis is running: sudo systemctl status redis. You should see Active: active (running). Then test with the CLI below. You should see Redis running and enabled. If not, enable it so it starts on boot. Then confirm the server responds with ping and that you can set and get a key. You should see Active: active (running). If it is not enabled to start on boot, enable it with: Redis is running and enabled, so it will start on boot. Note: This setting is desirable for many common use cases of Redis. If, however, you prefer to start up Redis manually every time your server boots, you can configure this with the following command: Test connectivity with the Redis CLI: In the Redis prompt, run: You should see PONG if the server is responsive. You should see the value you stored: Exit the Redis prompt: To confirm persistence survives a restart, restart Redis and read the key again: You should still see "It's working!". If so, the installation is working. Proceed to lock down access. Restrict Redis to localhost so only this machine can connect. Edit /etc/redis/redis.conf, ensure the line bind 127.0.0.1 ::1 is present and not commented out (no # at the start). If you see bind 0.0.0.0 or no bind line, replace or add bind 127.0.0.1 ::1. Search for bind. You want exactly this line (no # in front): Save and close, then restart Redis: Verify that Redis is listening only on loopback. Using ss (standard on Ubuntu): If you see 0.0.0.0:6379 instead of 127.0.0.1:6379, the bind didn’t apply; recheck the file and restart. Next, require a password so only clients that send AUTH can run commands. Set a password in /etc/redis/redis.conf with requirepass so only authenticated clients can run commands. (Redis 6+ also has ACLs for per-user permissions; for one shared password, requirepass is fine.) Optional but recommended: back up the config before editing (sudo cp /etc/redis/redis.conf /etc/redis/redis.conf.bak). Then open the file: Search for requirepass (often under a block titled SECURITY). You’ll see a commented line like # requirepass foobared. Remove the # and replace foobared with a strong password. For example: Note: Redis is very fast, so an attacker can try many passwords per second. Use a long, random password. You can generate one with: On some systems -A may not be available; if the command fails, use openssl rand 60 | base64 (you may need to remove line breaks from the output before pasting into redis.conf). Example output (use as the value for requirepass): Save and close the file, then restart Redis: Test that unauthenticated commands are rejected and that authentication works: From the shell you can also pass the password once: redis-cli -a your_redis_password (the password may appear in process lists; for scripts, prefer AUTH inside the session or environment variables). Next, we restrict dangerous commands. Rename or disable dangerous commands in /etc/redis/redis.conf so they can’t be run by mistake or by an attacker. Add rename-command lines in the SECURITY section: use an empty string to disable a command, or a hard-to-guess name to rename it. Warning: The rename-command approach is no longer the recommended way to secure commands in Redis 6+; use ACL rules for new deployments. The rename-command directive remains supported and effective for existing setups. Choose only the commands that make sense to disable or rename for your use case. Full command reference: redis.io/commands. Open /etc/redis/redis.conf and scroll to the SECURITY section (or search for rename-command). Add these lines to the config file (they are redis.conf directives, not Redis CLI commands). To disable a command, set the new name to an empty string: To rename a command to something only you know (hard to guess, easy for you to remember): Save and close, then restart Redis: Verify: after connecting and authenticating, the old command name should fail and the new one should work: Warning: If you use AOF persistence or replication, renamed commands are stored and replicated under their new names. Apply the same renames (or ACLs) on all replicas and after restoring from AOF, or replay may fail. See the Redis security documentation and the project’s note on renaming and replication. The Redis project uses the terms “master” and “replica” in documentation; we use the same here for consistency with Redis. Redis keeps data in memory. Two mechanisms help durability: RDB (snapshots): Redis writes periodic point-in-time snapshots to disk as dump.rdb. Control frequency in redis.conf with save directives. Good for backups; you can lose data written since the last snapshot if the server crashes. AOF (append-only file): Redis logs every write to a file and replays it on restart. Stronger durability than RDB; files are larger and replay can be slower. Enable with appendonly yes in the APPEND ONLY MODE section of redis.conf; tune rewrite and fsync for your needs. Defaults on Ubuntu typically enable RDB; AOF can be enabled in the redis.conf section APPEND ONLY MODE with appendonly yes. For production, set maxmemory and a maxmemory-policy (e.g. volatile-lru) so Redis does not grow without bound and evicts keys when the limit is reached. See Redis persistence and Redis memory management for details. Redis won’t start after config changes “NOAUTH Authentication required” “Connection refused” from another host Renamed command not found after restart Should Redis be exposed to the public internet?
No. Redis assumes trusted clients. Bind to localhost (or a private IP) and put a firewall in front. Use SSH tunnels, a VPN, or an application proxy if remote access is needed. How do I reset a Redis password?
Edit /etc/redis/redis.conf, change requirepass to the new value, save, and run sudo systemctl restart redis. Then use AUTH new_password in clients. What port does Redis use?
Default is 6379/TCP. You can change it with the port directive in redis.conf. How do I enable Redis persistence?
RDB is often enabled by default. For AOF, set appendonly yes in the APPEND ONLY MODE section of /etc/redis/redis.conf and restart Redis. See Redis persistence. What is Redis protected mode?
When Redis is bound to all interfaces and has no password, protected mode (Redis 3.2+) makes it accept only connections from 127.0.0.1 and reject others with an error. It is a safety net; you should still set bind 127.0.0.1 ::1 and use requirepass or ACLs. Is this guide valid for all supported Ubuntu versions?
Yes. The steps, package name (redis-server), configuration file path (/etc/redis/redis.conf), and systemd service name are consistent across all current Ubuntu LTS and non-LTS releases. Minor differences (such as command output details) may appear, but the installation and securing process remains the same. How do I connect my application to Redis?
From the same server, use host 127.0.0.1 and port 6379. If you set a password, send AUTH your_password after connecting (or use your client’s password option). From another host, don’t expose Redis directly; use an SSH tunnel, a VPN, or an app on the Redis server that proxies requests. See your app’s docs (e.g. Laravel, Django, Node) for the exact connection format. You’ve installed Redis on Ubuntu, confirmed it with ping and set/get tests, bound it to localhost, set a strong password, and optionally renamed or disabled dangerous commands. Redis is in a good state for local caching and development. Redis’s own security (bind, password, renamed commands) only helps as long as the server itself is locked down. If someone can log in to the machine, they can read redis.conf and connect to Redis. So keep SSH and the firewall tight, apply updates, and never expose port 6379 to the internet. For managed Redis with backups and high availability, see DigitalOcean Managed Databases for Redis. If you haven’t set up a firewall yet, use the Initial Server Setup guide for your Ubuntu version. Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases. Learn more about our products Former Technical Writer at DigitalOcean. Focused on SysAdmin topics including Debian 11, Ubuntu 22.04, Ubuntu 20.04, Databases, SQL and PostgreSQL. Former Senior Technical Writer at DigitalOcean, specializing in DevOps topics across multiple Linux distributions, including Ubuntu 18.04, 20.04, 22.04, as well as Debian 10 and 11. Building future-ready infrastructure with Linux, Cloud, and DevOps. Full Stack Developer & System Administrator. Technical Writer @ DigitalOcean | GitHub Contributor | Passionate about Docker, PostgreSQL, and Open Source | Exploring NLP & AI-TensorFlow | Nailed over 50+ deployments across production environments. This textbox defaults to using Markdown to format your answer. You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link! I encountered this towards the end of step 1 when attempting to reload the service: In addition to the invalid job type I also had a problem with the PID even though it exists. I ran sudo chown redis:redis /var/run/redis and the problem still persists Hi, even without making a change for supervisor keyword in /etc/redis/redis.conf, I can see output for sudo systemctl status redis. So, do I need to make this change? The key reason I am asking this is, I have to install Redis as part of an automated installed. And, I would like to avoid this type of one-off editing. Might be dumb to ask but I’ll give it a shot because i’m interested in the answer. How can I authenticate a ping/pong request to redis using cURL and nc. I’m hitting redis on port 6379 using nc like this It’s supposed to return PONG, but since i have the password set on, it is asking for authentication I’m only interested and want to play with curl and nc in here. Thanks in advance
@mdrake in the past for Ubuntu 14.04 you suggested to use the chris-lea repository to get the latest stable version of Redis. I wonder if there is any good reason now to prefer the official Ubuntu ppa. I don’t know whats the issue but at very start when install redis-server and change redis.conf fie and run its says “Failed to restart redis.service: Unit redis.service not found.” Very nice and detail explanation. Thanks! I set the password as you mentioned! I thought it was really secure. I quit the shell. Then I asked my friend to hack into the redis shell. He entered into the shell using Then he checked the recent commands (using the up arrow key), and it also showed my previous auth command containing the entire password! Is there any way so that I can hide my password from command history as well? Awesome, detailed, clean explanation. Congrats! Solid tutorial! The behavioral verification at each step is hugely useful. For what it’s worth, I was able to follow this tutorial, to the letter, on Ubuntu 16.04 LTS, too. Please complete your information! Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation. Full documentation for every DigitalOcean product. The Wave has everything you need to know about building a business, from raising funding to marketing your product. Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter. New accounts only. By submitting your email you agree to our Privacy Policy Scale up as you grow — whether you're running one virtual machine or ten thousand. Sign up and get $200 in credit for your first 60 days with DigitalOcean.* *This promotional offer applies to new accounts only.