IntroductionMemory object caching systems like Memcached can optimize backend database performance by temporarily storing information in memory, retaining frequently or recently requested records. In this way, they reduce the number of direct requests to your databases. Show
Because systems like Memcached can contribute to denial of service attacks if improperly configured, it is important to secure your Memcached servers. In this guide, we will cover how to protect your Memcached server by binding your installation to a local or private network interface and creating an authorized user for your Memcached instance. PrerequisitesThis tutorial assumes that you have a server set up with a non-root sudo user and a basic firewall. If that is not the case, set up and install the following:
With these prerequisites in place, you will be ready to install and secure your Memcached server. Installing Memcached from Official RepositoriesIf you don’t already have Memcached installed on your server, you can install it from the official CentOS repositories. First, make sure that your local package index is updated:
Next, install the official package as follows:
We can also install
Memcached should now be installed as a service on your server, along with tools that will allow you to test its connectivity. We can now move on to securing its configuration settings. Securing Memcached Configuration SettingsTo ensure that our Memcached instance is listening on the local interface You can open
Locate the /etc/sysconfig/memcached
Binding to our local network interface will restrict traffic to clients on the same machine. We will do this by adding Because UDP protocol is much more effective for denial of service attacks than TCP, we can also disable the UDP listener. To do this, we will add the /etc/sysconfig/memcached
Save and close the file when you are done. Restart your Memcached service to apply your changes:
Verify that Memcached is currently bound to the local interface and listening only for TCP connections by typing:
You should see the following output:
This confirms that Adding Authorized UsersTo add authenticated users to your Memcached service, it is possible to use Simple Authentication and Security Layer (SASL), a framework that de-couples authentication procedures from application protocols. We will enable SASL within our Memcached configuration file and then move on to adding a user with authentication credentials. Configuring SASL SupportWe can first test the connectivity of our Memcached instance with the To check that Memcached is up and running, type the following:
You should see output like the following:
Now we can move on to enabling SASL. First, we can add the
We will add both the /etc/sysconfig/memcached
Save and close the file. Restart the Memcached service:
Next, we can take a look at the logs to be sure that SASL support has been enabled:
You should see the following line, indicating that SASL support has been initialized:
We can check the connectivity again, but because SASL has been initialized, this command should fail without authentication:
This command should not produce output. We can type the following to check its status:
Adding an Authenticated UserNow we can download two packages that will allow us to work with the Cyrus SASL Library and its authentication
mechanisms, including plugins that support PLAIN authentication schemes. These packages,
Next, we will create the directory and file that Memcached will check for its SASL configuration settings:
Add the following to the SASL configuration file: /etc/sasl2/memcached.conf
In addition to specifying our logging level, we will set Now we will create a SASL database with our user credentials. We will use the
Finally, we want to give the
Restart the Memcached service:
Running
You should see output like the following:
Our Memcached service is now successfully running with SASL support and user authentication. Allowing Access Over the Private NetworkWe have covered how to configure Memcached to listen on the local interface, which can prevent denial of service attacks by protecting the Memcached interface from exposure to outside parties. There may be instances where you will need to allow access from other servers, however. In this case, you can adjust your configuration settings to bind Memcached to the private network interface. Note: We will cover how to configure firewall settings using FirewallD in this section, but it is also possible to use DigitalOcean Cloud Firewalls to create these settings. For more information on setting up DigitalOcean Cloud Firewalls, see our Introduction to DigitalOcean Cloud Firewalls. To learn more about how to limit incoming traffic to particular machines, check out the section of this tutorial on applying firewall rules using tags and server names and our discussion of firewall tags. Limiting IP Access With FirewallsBefore you adjust your configuration settings, it is a good idea to set up firewall rules to limit the machines that can connect to your Memcached server. If you followed the prerequisites and installed FirewallD on your server and do not plan on
connecting to Memcached from another host, then you do not need to adjust your firewall rules. Your standalone Memcached instance should be listening on Begin by adding a dedicated Memcached zone
to your
Then, specify which port you would like to keep open. Memcached uses port
Next, specify the private IP addresses that should be allowed to access Memcached. For this, you will need to know your client server’s private IP address:
Reload the firewall to ensure that the new rules take effect:
Packets from your client’s IP address should now be processed according to the rules in the
dedicated Memcached zone. All other connections will be processed by the default With these changes in place, we can move on to making the necessary configuration changes to our Memcached service, binding it to our server’s private networking interface. Binding Memcached to the Private Network InterfaceThe first step in binding to our server’s private networking interface will be modifying the We can open
Inside, locate the /etc/sysconfig/memcached
Save and close the file when you are finished. Restart the Memcached service again:
Check your new settings with
Test connectivity from your external client to ensure that you can still reach the service. It is a good idea to also check access from a non-authorized client to ensure that your firewall rules are effective. ConclusionIn this tutorial we have covered how to secure your Memcached server by configuring it to bind to your local or private network interface, and by enabling SASL authentication. To learn more about Memcached, check out the project documentation. For more information about how to work with Memcached, see our tutorial on How To Install and Use Memcache on Ubuntu 14.04. How install memcache on CentOS?To install memcached on CentOS, perform the following tasks as a user with root privileges:. Install memcached and its dependencies: ... . Change the memcached configuration setting for CACHESIZE and OPTIONS : ... . Save your changes to memcached and exit the text editor.. Restart memcached. ... . Restart your web server.. How install memcache Linux?Install and configure memcached on Ubuntu. Open /etc/memcached. conf in a text editor.. Locate the -m parameter.. Change its value to at least 1GB.. Locate the -l parameter.. Change its value to 127.0.0.1 or localhost.. Save your changes to memcached. conf and exit the text editor.. Restart memcached. service memcached restart.. How do I know if Memcached is installed?You can look at phpinfo() or check if any of the functions of memcache is available. Ultimately, check whether the Memcache class exists or not. e.g. if(class_exists('Memcache')){ // Memcache is enabled. }
What is the difference between memcache and Memcached?They both have very basic difference while storing value. Memcache mostly considers every value as string whereas Memcached stores it value's original type.
|