This guide is intended for Hostwinds Cloud VPS and Dedicated Server clients who have the ability to secure Memcache and prevent Memcached amplification attempts from their server. We highly suggest this to prevent any outbound bandwidth usage from your server. To continue with this guide, you will want to be logged in as your server's root user.
Determine if Memcache is installed
Step One: You can run the following command to see the status of the Memcached service.
sudo systemctl status memcached
Secure Memcached on CentOS 7
Step One: Adjust the service parameters using your favorite text editor in your /etc/sysconfig/Memcached file. Example:
sudo nano /etc/sysconfig/memcached
Step Two: Bind the local network interface to restrict traffic by using the -l 127.0.0.1 option. Also, set -U 0 to disable the UDP listener to prevent amplification attacks from the UDP protocol.
OPTIONS="-l 127.0.0.1 -U 0"
Step Three: Save and close the file.
Step Four: Restart the Memcached service to apply these changes.
sudo systemctl restart memcached
Add Firewall Rule to iptables
Step One: You can add a basic firewall using iptables with the following commands:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p TCP -s --dport 11211 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
REPLACE \< YOURSERVERSIPADDRESS > above with your server's actual IP Address.
sudo iptables -P INPUT DROP
Step Two: Confirm that Memcached is currently bound to the local interface and listening only for TCP by typing:
sudo netstat -plunt
The results should indicate that Memcached is bound to localhost at 127.0.0.1:11211 and only using TCP with no references to UDP.