Securing Memcached

Memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Memcached is a great piece of software that was designed with performance in mind. Still, memcached has little (or should I say none?) security features built-in. If we run memcached on a public ip and unprotected, anyone will be able to reach it and make memcached connections. This guide is intended to show some simple steps that can be used to secure your memcached setup.

You might say that you are not saving any private information in memcached and just cache parts of your public pages. Well, even in this case you will want your memcached daemon protected and not open to DOS attacks. Basically, regardless of the data you will cache (even if this is public or backend sql private data), you will probably want to control who can access it and since memcached doesn’t have any built-in authentication and doesn’t require any user or password we will have to use external protection methods like a iptables or other firewall rules for protection.

1. Run the memcached daemon under a non-privileged user.

You should run the memcached daemon under a user with the least privileges needed for its purpose. You can safely run it with a user with minimal privileges like nobody for ex. as memcached doesn’t require any special privileges. Still, many people will run this as root, because they start it directly from a root shell (rc.local or similar) like:

./memcached -d -m 2048 -p 11211

(as it will start as the running user). Also this happens for ex. in the debian etch memcached package where the default is to run it as root (this is fixed in the lenny package that will run by default as nobody).

To run as a regular unprivileged user just use the** -u** switch to start memcached:

./memcached -d -m 2048 -p 11211 -u nobody

or if you use a configuration file like in the debian package edit it and add (-u nobody) and comment out the default entry -u root, inside_ /etc/memcached.conf_.

2. Specify which IP address to listen on.

Since memcached has no built-in authentication as it is concerned to be as fast as possible the only way we can protect our memcached daemon is by blocking access to the daemon to anyone else than the hosts that need to have access. By default, memcached will listen on all IP addresses if the -l switch is not used. I recommend to use -l and have memcached listen only on the ip you need.

  • if memcached is used just by the local system then use -l and run it like:
./memcached -d -m 2048 -p 11211 -u nobody -l
  • if you have a backend private network used by your servers use that to bind it only on the private ip, for ex: -l like:
./memcached -d -m 2048 -p 11211 -u nobody -l
  • if you really need to run this on a public ip, in this case just bind it on a single ip anyway (to ease maintenance if the box has more ips, etc.) using -l :
./memcached -d -m 2048 -p 11211 -u nobody -l <ip>

and depending from your setup filter the access to the TCP port 11211 for that IP to only the hosts that need to reach it and block all other access. If you run it on a different port (-p) or use more daemons on the same machine, do this for each one of them.

I hope you found this information useful and will help you have a safer and more secure memcached setup.

comments powered by Disqus