How to install and secure the Memcached on CentOS 7


Today cloud server hosting is quickly becoming the best conventional way for technology and also for all other companies to access their IT infrastructure, software and hardware resources. Not only that using a cloud server will help your business to be more efficient and save on software and hardware which are important for different operations. So if you are confused on what cloud server is then here is the answer for it- a cloud server is a place where several servers are linked together to share the load. Using cloud server for a business are more stable, fast and also more secure.


Today if you are using a cloud server for your website and if you are looking for information on how to install and secure the Memcached on CentOS 7 on a cloud serve then here is the complete information on it. So today, if you are looking to optimize the backend database performance then using Memcached, is one of the best ways. And it temporarily stores information in its memory and retaining frequently or recently requested records. By this way, it will reduce the number of direct requests to your databases.


Follow the below steps to install and secure the Memcached on CentOS 7 on a cloud server:


>> Login to SSH/ Root


>> First you need to install Memcached from Official Repositories so to install the Memcached follow the below command


sudo yum update


>>  Now you have to install the official package by using this command


sudo yum install memcached


>> And if you are looking for a  library that provides several tools to work with your Memcached server then you can install libmemcached, by adding this code.


sudo yum install libmemcached


>> Now you have to secure the Memcached configuration settings and to ensure the Memcached instance is listening on the local interface you need to modify the OPTIONS variable in the configuration file located at /etc/sysconfig/memcached. And at that time your UDP listener. will be disabled. And you can open /etc/sysconfig/memcached with vi:


sudo vi /etc/sysconfig/memcached


>> To locate the OPTIONS variable, which will initially look like this:


/etc/sysconfig/memcached

. . .

OPTIONS=""


>> Sometimes  UDP protocol is much more effective for denial of service attacks than TCP, and it will be disabled and then your file will look like this



/etc/sysconfig/memcached


PORT="11211"

USER="memcached"

MAXCONN="1024"

CACHESIZE="64"

OPTIONS="-l 130.10.04.18 -U 0"


>> Now Save and close the file if you are done


>> Once after saving you need to restart your Memcached service to apply your changes:


sudo systemctl restart memcached


>> After you need to verify that Memcached is currently bound to the local interface and listening only for TCP connections by typing:


sudo netstat -plunt


>> You will see the following output


Output

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address State PID/Program name

. . .

tcp        0 0 130.10.04.18:11211         0.0.0.0:* LISTEN 2383/memcached

. . .


>> After that you need to add authorized users to authenticate your Memcached service and this is possible to use Simple Authentication and Security Layer (SASL) framework. And if you want we will enable SASL with our Memcached configuration file and then move on to adding a user with authentication credentials.


>> To configure SASL support, you first need to test the connectivity with the Memcached instance with the Memcached command and to check that Memcached is up and running, type the following command


memstat --servers="130.10.04.18"


>> Now you will see the below output


Output

Server: 130.10.04.18 (11211)

    pid: 4522

    uptime: 9

    time: 2250435486

    version: 1.4.25

    . . .


>> Once after seeing the output you can enable the SASL but before that, you need to add  -S parameter to your OPTIONS variable in /etc/sysconfig/memcached, where it will enable SASL.


sudo vi /etc/sysconfig/memcached


>> If you want we will add both -s and vv parameters to your options variable. The -vv option will provide verbose output to /var/log/memcached, which will help us as we debug.


/etc/sysconfig/memcached

. . .

OPTIONS="-l 130.10.04.18 -U 0 -S -vv"


>> Now you have to save and have to close the file and you have to restart the Memcached service by using this command


sudo systemctl restart memcached


>> Now you can take a look at the logs and you can make sure that SASL support has been enabled by following this command.


sudo journalctl -u memcached


>> Now you should see the following line which indicates that SASL support has been installed


Output

. . .

Apr 10 19:24:10 memcached-server memcached[3846]: Initialized SASL.

. . .


>> You can also check the connectivity again so use this command


memstat --servers="130.10.04.18"


>> And when give the above command it should not produce output you can see in the below command that how you will get the output.


echo $?


>> Once you are done with all these procedures you need to add an  authenticated user, so use this command


sudo yum install cyrus-sasl-devel cyrus-sasl-plain


>> Next you need to create the directory and file that Memcached will check for its SASL configuration settings


sudo mkdir -p /etc/sasl2

sudo vi /etc/sasl2/memcached.conf


>> Now add the following to the SASL configuration file:


/etc/sasl2/memcached.conf

mech_list: plain

log_level: 5

sasldb_path: /etc/sasl2/memcached-sasldb2


>> Once after adding the  following to the SASL configuration file you can create a SASL database with your user credentials so follow this command


sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 sammy


>> Now you can give the memcached ownership over the SASL database


sudo chown memcached:memcached /etc/sasl2/memcached-sasldb2


>> Restart the Memcached service


sudo systemctl restart memcached


>> So the running memstat again will confirm whether authentication process worked or not. So to check use this


memstat --servers="130.10.04.18" --username=sammy --password=your_password


>> Now you should see output like the following:


Output

Server: 130.10.04.18 (11211)

    pid: 4522

    uptime: 9

    time: 2250435486

    version: 1.4.25

    . . .


>>> Allowing Access Over the Private Network

>> Limiting IP Access With Firewalls by adding a dedicated Memcached zone to your firewall policy:


sudo firewall-cmd --permanent --new-zone=memcached


>> Now you have to specify on which port you like to keep it open for example port 11211 by default


sudo firewall-cmd --permanent --zone=memcached --add-port=11211/tcp


>> Once the above step is completed you need to specify the private IP address which will be allowed to access Memcached. And in this you need to know your client IP address and then use the below code


sudo firewall-cmd --permanent --zone=memcached --add-source=client_server_private_IP


>> Now reload the firewall to ensure that the new rules to take effect


sudo firewall-cmd --reload


>> Binding Memcached to the Private Network Interface. In here you have to bind the file to our server's private networking interface  and it will be modify the OPTIONS variable which you have set. And you can open it from /etc/sysconfig/memcached again by typing


sudo vi /etc/sysconfig/memcached


>> Now in here you have to locate the OPTIONS variable and from there you can modify 130.10.04.18 to reflect our Memcached server's private IP


/etc/sysconfig/memcached

. . .

OPTIONS="-l memcached_servers_private_IP -U 0 -S -vv"


>> Once done save and  close the file and restart  the Memcached service again


sudo systemctl restart memcached


>> Now check your new settings with netstat to confirm the change


sudo netstat -plunt

Output

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address State PID/Program name

. . .

tcp        0 0 memcached_servers_private_IP:11211         0.0.0.0:* LISTEN 2383/memcached

. . .