Secure memcached server to avoid DDoS amplification attacks

Memcached is a free and open source distributed memory object caching system. 

How to install Memcached server

Use the apt-get command/apt command on a Debian/Ubuntu Linux:


$ sudo apt install memcached

If you are using a CentOS/RHEL, try yum command:


$ sudo yum install memcached

Fedora Linux user should use the dnf command:


$ sudo dnf install memcached


How to configure Memcached

You need to edit the following file as per your Linux distro:

  • Debian/Ubuntu/Mint Linux – /etc/memcached.conf
  • CentOS/RHEL/Fedora/Oracle Linux – /etc/sysconfig/memcached


How to secure memcached server

The procedure to secure memecached server is as follows:

 Configure a firewall

1) DEBIAN/UBUNTU LINUX EXAMPLE

You can use ufw on a Debian/Ubuntu Linux as follows to only allow traffic from 11211 port between to private IP address:


### [uncomment the following if you are using tcp port] ###
$ sudo ufw allow from 152.23.18.7 to 152.23.18.6 port 11211 proto tcp comment 'Allow memcached tcp port'
### [uncomment the following if you are using udp port] ###
$ #sudo ufw allow from 152.23.18.7 to 152.23.18.6 port 11211 proto udp comment 'Allow memcached udp port'

2) CENTOS/RHEL VERSION 6.X/5.X

If you are using a CentOS/RHEL 6.x/5.x, edit the /etc/sysconfig/iptables:


$ sudo /etc/sysconfig/iptables

Add following INPUT line:


-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -s 152.23.18.7  -d 152.23.18.6  -j ACCEPT
# uncomment the following if you are using udp
#-A INPUT -m state --state NEW -m udp -p udp --dport 11211 -s 152.23.18.7 -d 152.23.18.6  -j ACCEPT

Save and close the file. Restart the firewall, run:

$ sudo service iptables restart


3) RHEL/CENTOS VERSION 7.X AND FEDORA LINUX

For CentOS/RHEL/Fedora Linux latest version use the following firewall-cmd rule:

# firewall-cmd --permanent --zone=public --add-rich-rule='
rule family="ipv4"
source address="152.23.18.7/24"
port protocol="tcp" port="11211" accept'

Reload the firewall:

# firewall-cmd --reload

 
 Disable UDP

To disable UDP and listen to loopback ip 127.0.0.1/152.23.18.6 only add the following to on a CentOS/RHEL/Fedora Linux file named /etc/sysconfig/memcached:

OPTIONS="-U 0 -l 127.0.0.1,152.23.18.6"

Append the following on a Debian/Ubuntu Linux file named /etc/memcached.conf:

-U 0
-l 127.0.0.1,152.23.18.6


Where,

  • -U 0: Listen on UDP port {num}, the default is port 11211. Set it to 0 to trun it off i.e. disable UDP if NOT needed.
  • -l 127.0.0.1,152.23.18.6: Specify which IP address to listen on. The default is to listen on all IP addresses. This parameter is one of the only security measures that memcached has, so make sure it’s listening on a firewalled interface.


 Force memcached to listen on private LAN/VLAN IP address

As discussed above set the -l option.

 Test memcached server security settings


Make sure that your Memcached firewalled and TCP/UDP ports closed from the public Internet. Only allow your web server/app to access Memcached server using the nc command/telnet command/nmap command:


$ nc your-public-IP-here 11211
$ nc -u your-public-IP-here 11211
$ telnet your-public-IP-here 11211
$ sudo nmap your-public-IP-here -p 11211 -sU -sS --script memcached-info


only add the following to memcached config file on a CentOS/RHEL/Fedora Linux file named /etc/sysconfig/memcached:


OPTIONS="-U 0 -l 127.0.0.1,152.23.18.6"

Append the following on a Debian/Ubuntu Linux file named /etc/memcached.conf:


-U 0
-l 127.0.0.1,152.23.18.6


Where,

  • -U 0: Listen on UDP port {num}, the default is port 11211. Set it to 0 to trun it off i.e. disable UDP if NOT needed.
  • -l 127.0.0.1, 152.23.18.6: Specify which IP address to listen on. The default is to listen on all IP addresses. This parameter is one of the only security measures that memcached has, so make sure it’s listening on a firewalled interface.


  Verify open ports with the ss command or netstat command:

$ ss -tulpn | grep :11211
$ netstat -tulpn | grep :11211
Was this answer helpful? 0 Users Found This Useful (0 Votes)