| title | excerpt | updated |
|---|---|---|
Securing a server with a Memcached service |
Find out how to secure your Memcached service |
2018-03-02 |
Memcached is an in-memory database service. It is mainly used to speed up web applications, by caching static content and database request results. The way it works is very simple: it’s a key-value in-memory database for non-persistent storage.
By default, Memcached is not protected by authentication. If the server is accessible, anyone can access the data stored on it. For this reason, it is highly important that you secure this database.
This guide is designed to assist you with the configuration changes required to secure your service.
Warning
OVHcloud is providing you with machines that you are responsible for. We have no access to these machines, and therefore cannot manage them. You are responsible for your own software and security management.
This guide is designed to assist you with common tasks as much as possible. However, we recommend that you contact a specialist service provider if you experience any issues or doubts when it comes to managing, using or securing your server. You can find more information in the “Go further” section of this guide.
- You must have access to the server with the Memcached service (via SSH for Linux environments, or via remote desktop for Windows).
- You will need to identify the services that are using Memcached. To do this, answer the following questions:
- Are the services that use Memcached stored on the same server? Are they being used in a private network?
- Do the services that use Memcached require it to be publicly accessible on the internet?
To secure your Memcached server, you will need to follow two steps:
- Restrict the service’s listening address.
- Only accept TCP connections.
For versions older than /1.5.6/, Memcached authorises TCP and UDP connections by default. This default configuration can be exploited, and used to launch amplified DDoS attacks. The developers have pointed out that UDP connections were highly important when the software was first built, since this kind of technology was rarer at the time. In this guide, we will assume that you are one of the 99% of users who do not require UDP connections.
If your Memcached server is only used by your local server, you can limit the listening address to 127.0.0.1.
If other servers need to connect to your Memcached server via a private network, force it to listen on a private IP (e.g. 10.0.0.1. You will need to adapt this according to your network class).
In all cases, disable UDP listening by running the -U 0 command.
We will now detail the configuration aspects of the most commonly used operating systems.
By default, Debian and Ubuntu use service memcached status/start/restart/force-reload to manage the Memcached service. If you are using Debian or Ubuntu, edit the /etc/memcached.conf file while you are logged in as the root user.
You can start by adding this option, which disables UDP listening. As mentioned previously, UDP listening is a legacy technology, and is not required by Memcached users.
# Disable UDP protocol
-U 0If your Memcached server is only used by your local server, you will need to enable the following option, which will stop your service from being exposed on the internet:
-l 127.0.0.1Once you have made the required configuration changes, save the config file, and run one of the following two commands to reload your configuration:
service memcached force-reload
/etc/init.d/memcached force-reloadBy default, CentOS, Fedora and RedHat use service memcached status/start/restart/force-reload to manage the Memcached service. If you are using CentOS, Fedora or RedHat, edit the /etc/sysconfig/memcached file while you are logged in as the root user.
If your Memcached server is only used by your local server, we recommend adding the OPTIONS line below, which will prevent your service from being exposed on the internet by disabling the UDP protocol. As mentioned previously, UDP is now a legacy technology that is not required by Memcached users.
OPTIONS="-l 127.0.0.1 -U 0"If your Memcached server is also used by third-party servers, add the following OPTIONS line, which will only disable the UDP protocol:
OPTIONS="-U 0"Once you have made the required configuration changes, save the config file and run the following command to reload the configuration:
sudo service memcached force-reloadBy default, Arch Linux uses systemctl start/restart/stop memcached to manage the Memcached service. If you are using Arch Linux, edit the /usr/lib/systemd/system/memcached file while you are logged in as the root user.
If your Memcached server is only used by your local server, we recommend adding the following line, which will prevent your service from being exposed on the internet by disabling the UDP protocol. As mentioned previously, UDP is now a legacy technology that is not required by Memcached users.
ExecStart=/usr/bin/memcached -l 127.0.0.1 -U 0 -o modernIf your Memcached server is also used by third-party servers, add the following line, which will only disable the UDP protocol:
ExecStart=/usr/bin/memcached -U 0 -o modernOnce you have made the required configuration changes, save the config file, and run one of the following two commands to reload the configuration:
sudo systemctl daemon-reload
sudo systemctl force-reload memcachedJoin our community of users.