This guide is intended for Hostwinds Cloud VPS and Dedicated Server clients who have the ability to secure Memcache and prevent Memcached amplification attempts from their server. We highly suggest this to prevent any outbound bandwidth usage from your server. In order to continue with this guide, you will want to be logged in as the root user to your server.
Determine if Memcache is installed
Step One: You can run the following command to see the status of Memcached service.
sudo systemctl status memcached
Secure Memcached on CentOS 7
Step One: Adjust the service parameters using your favoriate text editor in your
/etc/sysconfig/memcached file. Example:
sudo nano /etc/sysconfig/memcached
Step Two: Bind the local network interface to restrict traffic by using the -l 127.0.0.1 option. Also, set -U 0 to disable the UDP listener to prevent amplification attacks from the UDP protocol.
PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 127.0.0.1 -U 0"
Step Three: Save and close the file.
Step Four: Restart the Memcached service to apply these changes.
sudo systemctl restart memcached
Add Firewall Rule to iptables
Step One: You can add a basic firewall using iptables with the following commands:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp -sREPLACE < YOURSERVERSIPADDRESS > above with your server’s actual IP Address.
--dport 11211 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -P INPUT DROP
Step Two: Confirm that Memcached is currently bound to the local interface and listening only for TCP by typing:
sudo netstat -plunt
The results should indicate that Memcached is bound to localhost at 127.0.0.1:11211 and only using TCP with no references to UDP.
- Create a Firewall Rule to accept connections to port 12111 from your IP Address
- Getting Started With Centos 7
- Common Commands in Centos 7
- Troubleshooting Using Logs Centos 7