More
    Home Ubuntu How to Install and Secure Memcached on Ubuntu 16.04

    How to Install and Secure Memcached on Ubuntu 16.04

    Introduction

    Different utilities that are used for caching (for example, Memcached) can improve database performance by temporarily storing information in memory. Usually this applies to those records that you either recently requested or frequently ask for. In this case, when using caching, the number of direct queries to the database is reduced.

    When using systems like Memcached, it is extremely important to properly protect the servers where they are installed, otherwise attacks on the server can have very sad consequences.

    Therefore, this guide will not only tell you how to install, but also how to protect the server from Memcached.

    Requirements

    Before proceeding with the instructions, you must have Ubuntu 16.04 installed on your server with a user who can execute sudo commands and a firewall.

    Step 1: Install Memcached from the official repositories

    If your server does not already have Memcached, then you can install this utility from the official Ubuntu repositories. First, you need to update the package index:

    $ sudo apt-get update

    Then install the package:

    $ sudo apt-get install memcached

    For the convenience of working with Memcached, you can also install libmemcached-tools, a library with several useful tools:

    $ sudo apt-get install libmemcached-tools

    Now on your server Memcached is installed as one of the services, and it’s time to go to the protection settings.

     

    Step 2: Protect Memcached settings

    First you need to check that Memcached listens on localhost 127.0.0.1. To do this, you need to look at the settings in the configuration file located in /etc/memcached.conf.

    Open /etc/memcached.conf using nano:

    $ sudo nano /etc/memcached.conf

    Then find the next line:

    . . .
    
    -l 127.0.0.1

    If there is a -l 127.0.0.1, then you do not need to change anything. However, just in case, you can disable UDP so that attackers can not use it during attacks. The TCP configuration will remain untouched. At the end of the file, write:

    . . .
    
    -U 0

    Then save and close the file.

    Restart Memcached for the changes to take effect.

    $ sudo systemctl restart memcached

    Make sure that Memcached is bound to the local interface and only listens to TCP:

    $ sudo netstat -plunt

    The output will be something like this:

    Active Internet connections (only servers)
    
    Proto Recv-Q Send-Q Local Address Foreign Address  State     PID / Program name
    
    . . .
    
    tcp 0   0 127.0.0.1 : 11211 0.0.0.0:*      LISTEN   2383 / memcached        
    
    . . .

    Step 3: Add Authorized Users

    In order to add authorized users to Memcached, you can use SASL (Simple Authentication and Security Layer). This is a framework that separates authentication mechanisms from application protocols.

    First, you need to enable SASL support in the Memcached configuration file, and then proceed to add the user.

    Configuring SASL support

    Check the current Memcached state using the memcstat command. This is necessary in order to be able to track the changes made in the future.

    To verify that the Memcached service is up and running, type:

    $ memcstat --servers = "127.0.0.1"

    You should see something like this:

    Server: 127.0.0.1 (11211)
    
    pid: 3831
    
    uptime: 9
    
    time: 1520028517
    
    version: 1.4.25
    
    . . .

    Now you need to enable SASL. Add the -S option in the /etc/memcached.conf configuration file. To do this, open the file again:

    $ sudo nano /etc/memcached.conf

    At the end of the file, add:

    . . .
    
    -S

    Next, find and uncomment the -vv option, which will give you a detailed report in / var / log / memcached. The uncommented line will look like this:

    . . .
    
    -vv

    Save and close the file.

    Restart the Memcached service:

    $ sudo systemctl restart memcached

    Now you can look at the logs to make sure that SASL support is enabled:

    $ sudo journalctl -u memcached

    You should see the following line:

    . . .
    
    Mar 31 20:15:39 memcached systemd-memcached-wrapper [2760]: Initialized SASL.
    
    . . .

    You can check the status of Memcached again. Now SASL is active, without authentication this command will not be executed:

    $ memcstat --servers = "127.0.0.1"

    You will not see any conclusion. To check the status of the command, you can enter the command below:

    $ echo $?

    It will show the completion code: any numbers other than 0 indicate that the command failed. In this case, you should see 1, which means the command was not executed.

    Adding an Authorized User

    Now you can download the sasl2-bin package, which contains the administration programs for the SASL user database. This will create an authorized user:

    $ sudo apt-get install sasl2-bin

    Next, you need to create a directory and a file that Memcached will use to verify the SASL settings:

    $ sudo mkdir -p / etc / sasl2
    
    $ sudo nano /etc/sasl2/memcached.conf

    Add the following lines to the SASL configuration file:

    mech_list: plain
    
    log_level: 5
    
    sasldb_path: / etc / sasl2 / memcached-sasldb2

    Mech_list is installed on plain, this means that Memcached will use its own file with passwords and verify the text password. You will also need to specify the path to the user database file (this will be done later). Save and close the file after the changes.

    Now you need to create a SASL database with user data. To do this, use the saslpasswd2 command with the -c option . Using the -f switch will allow you to specify the path to the database (which is also needed for the memcached.conf file):

    $ sudo saslpasswd2 -a memcached -c -f / etc / sasl2 / memcached-sasldb2 user

    Next, you need to change the rights: the user user must get the rights to the SASL database.

    $ sudo chown memcache: memcache / etc / sasl2 / memcached-sasldb2

    After that, restart Memcached:

    $ sudo systemctl restart memcached

    The memcstat command will show whether or not authentication works now (enter it with your data):

    $ memcstat --servers = "127.0.0.1" --username = user --password = your_password

    The output should look something like this:

    Server: 127.0.0.1 (11211)
    
    pid: 3831
    
    uptime: 9
    
    time: 1520028517
    
    version: 1.4.25
    
    . . .

    So, Memcached works successfully with SASL support and user authorization.

    Editor's Pick

    10 Efficient Link Building Tactics for Ecommerce Stores

    Good organic ranking in search engines is essential for any eCommerce business, and link building is a powerful method to achieve it....

    11 Best Video Presentation Softwares To Up Your Presentation Game

    Have you got a major presentation coming up? Wish to attract the attention of your audience? The best way to ensure that...

    Top 3 Cameras For Recording Podcasts in 2020

    Video podcasting is a new and effective way of sharing, and airing your opinions. The platform gives a wide range of advantages...

    9 Benefits of Using WordPress for Your Business Website

    Since its inception back in 2003, WordPress has become one of the most sought after blogging platforms in the market. Over the last couple...

    Headless WordPress- Designing WordPress Site Without a Theme

    Wordpress has always been the go-to solution for most businesses that look out for a digital presence. The leading CMS platform excels...
    How to Install and Secure Memcached on Ubuntu 16.04 2
    Vaibhav Jain
    Vaibhav is a specialist in Website Development whose goal is to never write a boring article. His enthusiasm for online business has spanned over two years, accompanying his articles with thorough knowledge about Website Development and many other topics. He also enjoys playing Cricket and is a Fitness enthusiast.
    Subscribe
    Notify of
    guest
    0 Comments
    Inline Feedbacks
    View all comments
    0
    Would love your thoughts, please comment.x
    ()
    x