How to install Memcached server
Use the apt-get command/apt command on a Debian/Ubuntu Linux:
$ sudo apt install memcached
If you are using a CentOS/RHEL, try yum command:
$ sudo yum install memcached
Fedora Linux user should use the dnf command:
$ sudo dnf install memcached
How to configure Memcached
You need to edit the following file as per your Linux distro:
- Debian/Ubuntu/Mint Linux – /etc/memcached.conf
- CentOS/RHEL/Fedora/Oracle Linux – /etc/sysconfig/memcached
How to secure memcached server
The procedure to secure memecached server is as follows:
Configure a firewall
1) DEBIAN/UBUNTU LINUX EXAMPLE
You can use ufw on a Debian/Ubuntu Linux as follows to only allow traffic from 11211 port between to private IP address:
### [uncomment the following if you are using tcp port] ###
$ sudo ufw allow from 152.23.18.7 to 152.23.18.6 port 11211 proto tcp comment 'Allow memcached tcp port'
### [uncomment the following if you are using udp port] ###
$ #sudo ufw allow from 152.23.18.7 to 152.23.18.6 port 11211 proto udp comment 'Allow memcached udp port'
2) CENTOS/RHEL VERSION 6.X/5.X
If you are using a CentOS/RHEL 6.x/5.x, edit the /etc/sysconfig/iptables:
$ sudo /etc/sysconfig/iptables
Add following INPUT line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -s 152.23.18.7 -d 152.23.18.6 -j ACCEPT
# uncomment the following if you are using udp
#-A INPUT -m state --state NEW -m udp -p udp --dport 11211 -s 152.23.18.7 -d 152.23.18.6 -j ACCEPT
Save and close the file. Restart the firewall, run:
$ sudo service iptables restart
3) RHEL/CENTOS VERSION 7.X AND FEDORA LINUX
For CentOS/RHEL/Fedora Linux latest version use the following firewall-cmd rule:
# firewall-cmd --permanent --zone=public --add-rich-rule='
rule family="ipv4"
source address="152.23.18.7/24"
port protocol="tcp" port="11211" accept'
Reload the firewall:
# firewall-cmd --reload
Disable UDP
To disable UDP and listen to loopback ip 127.0.0.1/152.23.18.6 only add the following to on a CentOS/RHEL/Fedora Linux file named /etc/sysconfig/memcached:
OPTIONS="-U 0 -l 127.0.0.1,152.23.18.6"
Append the following on a Debian/Ubuntu Linux file named /etc/memcached.conf:
-U 0
-l 127.0.0.1,152.23.18.6
Where,
- -U 0: Listen on UDP port {num}, the default is port 11211. Set it to 0 to trun it off i.e. disable UDP if NOT needed.
- -l 127.0.0.1,152.23.18.6: Specify which IP address to listen on. The default is to listen on all IP addresses. This parameter is one of the only security measures that memcached has, so make sure it’s listening on a firewalled interface.
Force memcached to listen on private LAN/VLAN IP address
As discussed above set the -l option.
Test memcached server security settings
Make sure that your Memcached firewalled and TCP/UDP ports closed from the public Internet. Only allow your web server/app to access Memcached server using the nc command/telnet command/nmap command:
$ nc your-public-IP-here 11211
$ nc -u your-public-IP-here 11211
$ telnet your-public-IP-here 11211
$ sudo nmap your-public-IP-here -p 11211 -sU -sS --script memcached-info
only add the following to memcached config file on a CentOS/RHEL/Fedora Linux file named /etc/sysconfig/memcached:
OPTIONS="-U 0 -l 127.0.0.1,152.23.18.6"
Append the following on a Debian/Ubuntu Linux file named /etc/memcached.conf:
-U 0
-l 127.0.0.1,152.23.18.6
Where,
- -U 0: Listen on UDP port {num}, the default is port 11211. Set it to 0 to trun it off i.e. disable UDP if NOT needed.
- -l 127.0.0.1, 152.23.18.6: Specify which IP address to listen on. The default is to listen on all IP addresses. This parameter is one of the only security measures that memcached has, so make sure it’s listening on a firewalled interface.
Verify open ports with the ss command or netstat command:
$ ss -tulpn | grep :11211
$ netstat -tulpn | grep :11211
