Introduction
Different utilities that are used for caching (for example, Memcached) can improve database performance by temporarily storing information in memory. Usually this applies to those records that you either recently requested or frequently ask for. In this case, when using caching, the number of direct queries to the database is reduced.
When using systems like Memcached, it is extremely important to properly protect the servers where they are installed, otherwise attacks on the server can have very sad consequences.
Therefore, this guide will not only tell you how to install, but also how to protect the server from Memcached.
Requirements
Before proceeding with the instructions, you must have Ubuntu 16.04 installed on your server with a user who can execute sudo commands and a firewall.
Step 1: Install Memcached from the official repositories
If your server does not already have Memcached, then you can install this utility from the official Ubuntu repositories. First, you need to update the package index:
$ sudo apt-get update
Then install the package:
$ sudo apt-get install memcached
For the convenience of working with Memcached, you can also install libmemcached-tools, a library with several useful tools:
$ sudo apt-get install libmemcached-tools
Now on your server Memcached is installed as one of the services, and it’s time to go to the protection settings.
Step 2: Protect Memcached settings
First you need to check that Memcached listens on localhost 127.0.0.1. To do this, you need to look at the settings in the configuration file located in /etc/memcached.conf.
Open /etc/memcached.conf using nano:
$ sudo nano /etc/memcached.conf
Then find the next line:
. . . -l 127.0.0.1
If there is a -l 127.0.0.1, then you do not need to change anything. However, just in case, you can disable UDP so that attackers can not use it during attacks. The TCP configuration will remain untouched. At the end of the file, write:
. . . -U 0
Then save and close the file.
Restart Memcached for the changes to take effect.
$ sudo systemctl restart memcached
Make sure that Memcached is bound to the local interface and only listens to TCP:
$ sudo netstat -plunt
The output will be something like this:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID / Program name . . . tcp 0 0 127.0.0.1 : 11211 0.0.0.0:* LISTEN 2383 / memcached . . .
Step 3: Add Authorized Users
In order to add authorized users to Memcached, you can use SASL (Simple Authentication and Security Layer). This is a framework that separates authentication mechanisms from application protocols.
First, you need to enable SASL support in the Memcached configuration file, and then proceed to add the user.
Configuring SASL support
Check the current Memcached state using the memcstat command. This is necessary in order to be able to track the changes made in the future.
To verify that the Memcached service is up and running, type:
$ memcstat --servers = "127.0.0.1"
You should see something like this:
Server: 127.0.0.1 (11211) pid: 3831 uptime: 9 time: 1520028517 version: 1.4.25 . . .
Now you need to enable SASL. Add the -S option in the /etc/memcached.conf configuration file. To do this, open the file again:
$ sudo nano /etc/memcached.conf
At the end of the file, add:
. . . -S
Next, find and uncomment the -vv option, which will give you a detailed report in / var / log / memcached. The uncommented line will look like this:
. . . -vv
Save and close the file.
Restart the Memcached service:
$ sudo systemctl restart memcached
Now you can look at the logs to make sure that SASL support is enabled:
$ sudo journalctl -u memcached
You should see the following line:
. . . Mar 31 20:15:39 memcached systemd-memcached-wrapper [2760]: Initialized SASL. . . .
You can check the status of Memcached again. Now SASL is active, without authentication this command will not be executed:
$ memcstat --servers = "127.0.0.1"
You will not see any conclusion. To check the status of the command, you can enter the command below:
$ echo $?
It will show the completion code: any numbers other than 0 indicate that the command failed. In this case, you should see 1, which means the command was not executed.
Adding an Authorized User
Now you can download the sasl2-bin package, which contains the administration programs for the SASL user database. This will create an authorized user:
$ sudo apt-get install sasl2-bin
Next, you need to create a directory and a file that Memcached will use to verify the SASL settings:
$ sudo mkdir -p / etc / sasl2 $ sudo nano /etc/sasl2/memcached.conf
Add the following lines to the SASL configuration file:
mech_list: plain log_level: 5 sasldb_path: / etc / sasl2 / memcached-sasldb2
Mech_list is installed on plain, this means that Memcached will use its own file with passwords and verify the text password. You will also need to specify the path to the user database file (this will be done later). Save and close the file after the changes.
Now you need to create a SASL database with user data. To do this, use the saslpasswd2 command with the -c option . Using the -f switch will allow you to specify the path to the database (which is also needed for the memcached.conf file):
$ sudo saslpasswd2 -a memcached -c -f / etc / sasl2 / memcached-sasldb2 user
Next, you need to change the rights: the user user must get the rights to the SASL database.
$ sudo chown memcache: memcache / etc / sasl2 / memcached-sasldb2
After that, restart Memcached:
$ sudo systemctl restart memcached
The memcstat command will show whether or not authentication works now (enter it with your data):
$ memcstat --servers = "127.0.0.1" --username = user --password = your_password
The output should look something like this:
Server: 127.0.0.1 (11211) pid: 3831 uptime: 9 time: 1520028517 version: 1.4.25 . . .
So, Memcached works successfully with SASL support and user authorization.
