HowTo - Secure your open Memcached server?

Memcached is a distributed memory object caching server with great speed. It is free and open source software designed to help dynamic web applications run faster by reducing database load. This page explains how to setup, and test Memcached.

 

How to avoid abuse of Memcached: 

Disable UDP: 

Make sure to disable UDP support if you do not need it. By default, memcached has UDP support enabled, potentially leaving a server vulnerable. 

Configure a firewall: 

Set up a firewall to prohibit all access to your Memcached service from the public Internet and ensure that it can be accessed from trustworthy hosts. 

Restrict Memcached to localhost: 

Binding Memcached to localhost and disabling UDP on source port 11211 is one of the simplest ways to keep your Memcached servers from being abused. 

 

Install Memcached on Ubuntu and Debian  

1. Use the command to verify that your local package index has been updated: 

sudo apt update 

2. Install the official package via the command: 

sudo apt install Memcached 

3. It's also a good idea to install a tool library to help you operate with your Memcached server more effectively. Simply type in the following command: 

sudo apt install libmemcached-tools 

 

Install Memcached on CentOS 

1. Update your local software package index, then use the yum instructions below to install Memcached from the official CentOS repository. 

yum update 
yum install memcached 

2. Install libmemcached, a client library with a few utilities for managing your Memcached server. 

yum install libmemcached 

Memcached should now be deployed as a service on your CentOS system, along with the tools you'll need to evaluate its connection. We may now move on to securing its setup parameters. 

Securing Memcached on Ubuntu and Debian Servers: 

You can change the service parameters for Memcached services running on Ubuntu or Debian systems by modifying the /etc/memcached.conf file with your favorite editor, the -l option set to local software, which prevents community denial of service attacks. We may inspect this environment to confirm that it is properly established. For example: 

sudo nano /etc/memcached.conf 

Find the line that follows the file to investigate the program environment:: 

-l 127.0.0.1 

If this configuration is too open, add the following line at the end of the file to restrict UDP: 

-U 0 

Save the file and exit. 

Restart Memcached to apply your changes: 

sudo systemctl restart memcached 

Netstat can be used to verify that Memcached is simply bound to the local interface and only listening for TCP connections: 

sudo netstat -plunt 

This is what you should get as a result: 

Active online connections (only servers) 

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program title 
[...]
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      2383/memcached 

Securing Memcached on CentOS Servers: 

To avoid DDOS assaults, we'll bind Memcached to the local interface and disable the UDP port. You can adjust the service parameters by editing the /etc/sysconfig/memcached file with your favorite editor, for example: 

sudo vi /etc/sysconfig/memcached 

Find the OPTIONS line in the file and change it to the following: 

OPTIONS="-l 127.0.0.1 -U 0" 

Save the file and exit from the editor. 

To implement your configuration changes, restart and activate your Memcached service. 

systemctl restart memcached 
systemctl enable Memcached 

You can ensure that it is running by using systemctl: 

systemctl status memcached 

The following is an example of the output:

memcached.service - Memcached
  Loaded: loaded (/usr/lib/systemd/system/memcached.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-08-02 16:59:59 CEST; 14min ago
 Main PID: 23803 (memcached)
   CGroup: /system.slice/memcached.service
           └─23803 /usr/bin/memcached -u memcached -p 11211 -m 64 -c 1024 -l 127.0.0.1 -U 0 

Aug 02 16:59:59 systemd[1]: Started Memcached. 

Using the netstat command, you can verify that your Memcached service is tied to the local interface and only listening on TCP connections after it has been launched. 

sudo netstat -plunt 

This is what you should get as a result:  

Active Internet connections (only servers) 
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      23803/Memcached 

You should see memcached bound to the 127.0.0.1 address using only TCP. 

You may also use memcached-tool to check the server's statistics, as shown: 

memcached-tool 127.0.0.1 stats 

 

Allowing access on a private network (Optional) 

You secured the interface from external DoS attacks by configuring Memcached on a local interface (127.0.0.1) in the previous stages. But what if you need to connect to a server that isn't on your network? In this instance, Memcached will need to be installed on a private network after updating its settings. 

Firewalls to restrict IPS  

Setting up rules in your firewall to block connections to your Memcached server before modifying the configuration parameters is recommended. To configure your rules in the firewall, you'll need to know the client's server's private IP address first. You may restrict access to your Memcached instance if you're using the UFW firewall by putting the following on your Memcached server: 

sudo ufw allow from client_server_IP_privato/32 to any port 11211 

The Memcached service is now ready to be imposed on your private network interface after this update has been done. 

Bind Memcached to the Private Network Interface 

Fix Memcached's setup to listen on your private network interface rather than the local interface now that the firewall has been enabled. To begin, use the command: to open the Memcached configuration file, as shown earlier. 

Ubuntu and Debian Servers: 

sudo nano /etc/memcached.conf 

Look for the following line in the file, which was checked in the previous steps: 

-1 127.0.0.1 

Change the address to the one that corresponds to the private network interface on your server: 

-l memcached_servers_private_IP 

Save and close the configuration file to implement the changes. 

Then use the following command to restart the Memcached service: 

sudo systemctl restart memcached 

CentOS servers: 

sudo vi /etc/sysconfig/memcached 

Look for the OPTIONS variable within. We can now change -l 127.0.0.1 to reflect the private IP address of our Memcached server: 

OPTIONS="-l memcached_servers_private_IP -U 0 -S -vv" 

When you're finished, save and shut the file. Restart the Memcached service by doing the following: 

sudo systemctl memcached restart 

Finally, use netstat to verify the updated settings: 

This is what you should get as a result:  

sudo netstat -plunt 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
[...]
tcp        0      0 memcached_servers_private_IP:11211         0.0.0.0:*               LISTEN      2383/Memcached 

Verify that you can connect using your approved external client and that you are not prevented by the firewall if you connect through an unauthorized client instead.  

You've successfully protected your Memcached server and configured it to connect to your local or private network interface at this point. 

 

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section