Search The Hostwinds Guides Knowledge Base

How To Secure Memcache on CentOS 7

Share This Article [TheChamp-Sharing]

This guide is intended for Hostwinds Cloud VPS and Dedicated Server clients who have the ability to secure Memcache and prevent Memcached amplification attempts from their server. We highly suggest this to prevent any outbound bandwidth usage from your server. In order to continue with this guide, you will want to be logged in as the root user to your server.

Determine if Memcache is installed

Step One: You can run the following command to see the status of Memcached service.

sudo systemctl status memcached

Secure Memcached on CentOS 7

Step One: Adjust the service parameters using your favoriate text editor in your /etc/sysconfig/memcached file. Example:

sudo nano /etc/sysconfig/memcached

Step Two: Bind the local network interface to restrict traffic by using the -l 127.0.0.1 option. Also, set -U 0 to disable the UDP listener to prevent amplification attacks from the UDP protocol.

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1 -U 0"

Step Three: Save and close the file.

Step Four: Restart the Memcached service to apply these changes.

sudo systemctl restart memcached

Add Firewall Rule to iptables

Step One: You can add a basic firewall using iptables with the following commands:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp -s  --dport 11211 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
REPLACE < YOURSERVERSIPADDRESS > above with your server’s actual IP Address.
sudo iptables -P INPUT DROP

Step Two: Confirm that Memcached is currently bound to the local interface and listening only for TCP by typing:

sudo netstat -plunt

The results should indicate that Memcached is bound to localhost at 127.0.0.1:11211 and only using TCP with no references to UDP.

Related Articles

Related Resources