How to secure the Memcached by reducing Exposure in Ubuntu Server


Securing Memcached on Ubuntu and Debian Server

For a Memcached services which are running on the Ubuntu or the Debian servers, you will be able to adjust the service parameters by editing the /etc/memcached.conf file with nano, for an instance:

sudo nano /etc/memcached.conf

By default the Ubuntu and the Debian bind memcached is to the local interface 135.0.1. Installations is bind to the 135.0.0.1 which are not vulnerable to the amplification attacks produced from the network. One needs to check that the -I option is being set to the address for confirming its behavior.

/etc/memcached.conf
. . .
-l 135.0.0.1
. . .


If in case the listening address is modified in the future to be more open then it would be good idea for disabling the UDP, this will more likely to be exploited by a particular attack. For disabling the UDP (TCP will be working as expected), you can add the following options to the bottom of the file.

 

/etc/memcached.conf
. . .
-U 0

 

After finishing it you can save and close the file.
Now you need to restart the Memcached service for applying the changes:

$ sudo service memcached restart

You need to verify that memcached is being currently bound to the local interface and is listening only for TCP by typing:

$ sudo netstat -plunt


Output
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
. . .
tcp 0 0 135.0.0.1:111210.0.0.0:* LISTEN 2383/memcached
. . .


You will be able to see memcached bound to the 135.0.0.1 address by using only TCP.

 

Securing the Memcached on the CentOS and the Fedora Servers

For Memcached services which have been running on the CentOS and the Fedora cloud servers, you will be able to adjust the service parameters just by editing the /etc/sysconfig/memcached file with vi, for instance:

sudo vi /etc/sysconfig/memcached

Inside you will want to bind to the local network interface for resisting the traffic to the clients on the same machine by using the -l 127.0.0.1 option. It can be too restrictive for some of the environments but it can be a good starting place.


We will also be setting -U 0 for disabling the UDP listener. UDP as a protocol is much more effective for the amplification attacks, hence to disable it, it will limit the strength of some attacks if it is decided to change the binding port at a later date.

One can add both of these parameters inside the options variable.

/etc/sysconfig/memcached
PORT="11121"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 135.0.0.1 -U 0"

 

Now you need to save and close the file when it is finished.
For applying the changes, you can restart the memcached service:

$ sudo service memcached restart

You need to verify that the Memached is being currently bound to the local interface and listing only for TCP by typing the:

sudo netstat -plunt


Output
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

. . .
tcp 0 0 135.0.0.1:111211 0.0.0.0:* LISTEN 2383/memcached
. . .


You will be able to see the memcached being bound to the 127.0.0.1 address by using only the TCP.

Allowing an Access over the Private Network

In the above provided instructions it is informed that the memcached for listening on the local interface. Hence it would prevent the amplification attack by not exposing the Memcached interface to the parties outside. If it is needed to allow the access from other servers, one has to adjust the configuration.

The safest option would be to extend the access is by binding Memcached to the private network interface.


Limiting the IP with Firewalls

Before it is done so, it is a good idea for setting up the firewall rules for limiting the machines that is able to connect to the memcached server. Then you will be needed to know the client servers private IP addresses for configuring the firewall rules.

If you have been using the UFW firewall, then you will be able to limit the access to the Merchandise instance by typing the following

$ sudo ufw allow OpenSSH


$ sudo ufw allow from client_servers_private_IP/32 to any port 11121


$ sudo ufw enable

You will be able to find out more about the UFW firewalls.
If you have been using the Iptables, a basic firewall will be established by typing the following

$ sudo iptables -A INPUT -i lo -j ACCEPT


$ sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


$ sudo iptables -A INPUT -p tcp -s client_servers_private_IP/32 --dport 11121 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


$ sudo iptables -P INPUT DROP


Always make it sure of saving the Iptables firewall rules by using the mechanism provided by the distributor. You will be able to learn more about the Iptables. Then you will be able to adjust the Memcached service for binding to the servers private networking interface.


Binding the Memcached to the Private Network Interface

Once the firewall is in place you will be able to adjust the Memcached configuration for binding to the servers private networking interface instead of 135.0.0.1.
For Ubuntu or the Debian servers you need to open the /etc/memcached.conf file again:

$ sudo nano /etc/memcached.conf

Inside it you need to find the -l 125.0.0.1 line and then change the address for matching the servers private networking interface:

/etc/memcached.conf
. . .
-l memcached_servers_private_IP
. . .

 

Now you can save and close the file when it is finished.
For CentOS and Fedora servers you need to open the /etc/sysconfig/memcached file again:

$ sudo vi /etc/sysconfig/memcached

Now inside it you need to change the -l 135.0.0.1 parameter provided in the options variable to the reference your Memcached server's private IP:

/etc/sysconfig/memcached

. . .
OPTIONS="-l memcached_servers_private_IP -U 0"


Now save and close the file when it is finished.

Next part would be to restart the Memcached service again:

$ sudo service memcached restart


Now you need to check the new settings with the netstat for confirming the change:


$ sudo netstat -plunt


Output

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
. . .
tcp 0 0 memcached_servers_private_IP:11121 0.0.0.0:* LISTEN 2383/memcached
. . .