edit-icon download-icon

Harden Memcached service security

Last Updated: May 08, 2018

Vulnerability description

Memcached is a common key-value caching system that does not include a permission control module. If the Memcached service is open to a public network, it can be easily scanned by attackers, and sensitive information in Memcached can be read by attackers through direct commands.

Hardening method

Because Memcached does not include permission control functions, request sources must be restricted.

Procedure

  1. Configure resource access.
    We recommend the Memcached service is not uploaded to the public network as it can be used by hackers. Configure resource access rules through ECS security group rules or the iptables configuration.
    For example, execute the command iptables -A INPUT -p tcp -s 192.168.0.2 -dport 11211 -j ACCEPT in Linux, to add a rule in the iptables to allow access to port 11211 from only IP 192.168.0.2.

  2. Bind the listening IP.
    If the Memcached service does not need to be open to the public network, set the bound IP to 127.0.0.1 during Memcached startup. For example, execute the following command in Linux:
    memcached -d -m 1024 -u memcached -l 127.0.0.1 -p 11211 -c 1024 -P /tmp/memcached.pid.

  3. Run the Memcached service by using the lowest permission.
    Run the service with a specified account who has only normal permissions. For example, execute the following command in Linux:
    memcached -d -m 1024 -u memcached -l 127.0.0.1 -p 11211 -c 1024 -P /tmp/memcached.pid

  4. Modify the default port.
    Modify the default listened port from 11211 to 11222 by executing the following command in Linux:
    memcached -d -m 1024 -u memcached -l 127.0.0.1 -p 11222 -c 1024 -P /tmp/memcached.pid.

    Memcached command parameter description

    • -d indicates starting a daemon.
    • -m indicates the amount of memory allocated to Memcached in MBs. In the example command, the Memcached memory is 1024 MB.
    • -u indicates the user starting Memcached. We recommend using a separate user with normal permissions to start Memcached, instead of a user with root permissions.
    • -l indicates the IP address of the listened server. In the example command, the IP address of the listened server is specified as 127.0.0.1.
    • -p indicates the Memcached listening port. The default port is 11211, and we recommend setting a port above 1024.
    • -c indicates the allowed maximum number of concurrent connections. The default number is 1024 and it can be set based on the server capacity.
    • -P indicates the PID file in which Memcached is saved. In the example command, Memcached is saved in /tmp/memcached.pid.
  5. Back up data.
    To avoid data loss, create backups or an ECS hardware snapshot before upgrading.

  6. Enable Alibaba Cloud Security detection and protection.
    Vulnerability detection and protection are supported in Alibaba Cloud Security. You can enable and use the service in Alibaba Cloud Security Administration Console.

Thank you! We've received your feedback.