When using systems like Memcached, it is extremely important to properly protect the servers where they are installed, otherwise attacks on the server can have very sad consequences. Therefore, this guide will not only tell you how to install, but also how to protect the server from Memcached.
Requirements
Before proceeding with the instructions, you must have Ubuntu 16.04 installed on your server with a user who can execute sudo commands and a firewall.
Step 1: Install Memcached from the official repositories
If your server does not already have Memcached, then you can install this utility from the official Ubuntu repositories. First, you need to update the package index: Then install the package: For the convenience of working with Memcached, you can also install libmemcached-tools, a library with several useful tools: Now on your server Memcached is installed as one of the services, and it’s time to go to the protection settings.
Step 2: Protect Memcached settings
First you need to check that Memcached listens on localhost 127.0.0.1. To do this, you need to look at the settings in the configuration file located in /etc/memcached.conf. Open /etc/memcached.conf using nano: Then find the next line: If there is a -l 127.0.0.1, then you do not need to change anything. However, just in case, you can disable UDP so that attackers can not use it during attacks. The TCP configuration will remain untouched. At the end of the file, write: Then save and close the file. Restart Memcached for the changes to take effect. Make sure that Memcached is bound to the local interface and only listens to TCP: The output will be something like this:
Step 3: Add Authorized Users
In order to add authorized users to Memcached, you can use SASL (Simple Authentication and Security Layer). This is a framework that separates authentication mechanisms from application protocols. First, you need to enable SASL support in the Memcached configuration file, and then proceed to add the user. Configuring SASL support Check the current Memcached state using the memcstat command. This is necessary in order to be able to track the changes made in the future. To verify that the Memcached service is up and running, type: You should see something like this: Now you need to enable SASL. Add the -S option in the /etc/memcached.conf configuration file. To do this, open the file again: At the end of the file, add: Next, find and uncomment the -vv option, which will give you a detailed report in / var / log / memcached. The uncommented line will look like this: Save and close the file. Restart the Memcached service: Now you can look at the logs to make sure that SASL support is enabled: You should see the following line: You can check the status of Memcached again. Now SASL is active, without authentication this command will not be executed: You will not see any conclusion. To check the status of the command, you can enter the command below: It will show the completion code: any numbers other than 0 indicate that the command failed. In this case, you should see 1, which means the command was not executed. Adding an Authorized User Now you can download the sasl2-bin package, which contains the administration programs for the SASL user database. This will create an authorized user: Next, you need to create a directory and a file that Memcached will use to verify the SASL settings: Add the following lines to the SASL configuration file: Mech_list is installed on plain, this means that Memcached will use its own file with passwords and verify the text password. You will also need to specify the path to the user database file (this will be done later). Save and close the file after the changes. Now you need to create a SASL database with user data. To do this, use the saslpasswd2 command with the -c option . Using the -f switch will allow you to specify the path to the database (which is also needed for the memcached.conf file): Next, you need to change the rights: the user user must get the rights to the SASL database. After that, restart Memcached: The memcstat command will show whether or not authentication works now (enter it with your data): The output should look something like this: So, Memcached works successfully with SASL support and user authorization.