Canadahost Official Blog

Installation and securing of Memcached on CentOS 7

Memcached is a free and open source, simple but powerful memory caching system whose function is speeding up web applications by lessening the database load. It optimizes back end database performance through temporal storage of information in memory or frequently retaining records that have been recently requested. This consequently leads to a reduction in the volume of direct requests to databases. In this article, we’ll dive in and see the installation and securing of Memcached on CentOS 7.

One drawback with Memcached is that it if left improperly configured, It can expose the system to threats such as DoS (Denial Of Service Attacks) posing potential security risks. It’s therefore crucial to ensure that your Memcached server is well configured and protecting by binding the installation onto a private network interface and creating authorized users for memcached instances.

Prerequisite

This tutorial assumes basic knowledge of a CentOS 7 server system and FirewallD which is a basic firewall which can be installed.

Installing Memcached from Official repositories

To install Memcached from official repositories, ensure that the local system repositories are update. This can be done using the following command

yum update

After the update is done, install memcached using the following command

yum install memcached

After successful installation of memcached , proceed and install libmemcached . This is a library or repository with many tools which will be used alongside the memcached server.

yum install libmemcached

Memcached and Libmemcached should now by installed in your CentOS 7 server. To verify the installation, run the command below

 rpm -qa | grep ‘memcached’

Securing Memcached

We need to ensure that the Memcached instance is listening on 127.0.0.1 which is our loopback address and disable the UDP listener as well. The configuration settings are found in /etc/sysconfig/memcached file path Open the configuration file using your favorite editor. I’m going to use vim

vim /etc/sysconfig/memcached

Scroll down and locate the ‘OPTIONS’ parameter as shown below

Now, to restrict traffic only to clients or users on the same system, we’ll add the
-l 127.0.0.1 -U 0 flag as shown below. This will ensure that traffic is only confined to the localhost system which is our CentOS server.

Save the configuration file and exit.
Reload Memcached server for the changes to take effect

systemctl restart memcached

To verify that memcached is running, run the command below

systemctl status memcached

If it’s not, run

systemctl start memcached

To confirm that Memcached service is running and bound to the local loopback interface on tcp only run

netstat -pnltu | grep 'memcached'

As we can see above, memcached is bound to our loopback address, 127.0.0.1 and listening on port 11211 on tcp protocol only.

To add authorized users, we shall enable SASL in our Memcached configuration file and later on create and add a user with credentials.

We are going to use memstat command to test our Memcached server connectivity.

memstat --servers="127.0.0.1"

Sample output

We will enable SASL in our Memcached configuration file and then move on to adding a user with authentication credentials.

To enable SASL, open the memcached configuration file and append the -S and -vv flags. The -S will enable SASL and ‘-vv’ is for verbose output in /var/log/memcached file.
Restart memcached

 systemctl restart memcached

Let’s now take a sneak peek at the logs to ensure that SASL is enabled using the command below

journalctl -u memcached

Sample output

When we run memstat –servers=”127.0.0.1″ command, we get no response. This is because SASL has been ENABLED and because there’s no authentication.
Just to be sure that the command exited with an error run

echo $?

You should get 1 to indicate it exited with an error

Adding Authenticated users

To create and authenticate our users, we are going to install 2 packages, cyrus-sasl-devel and cyrus-sasl-plain. These packages will assist in communicating with Cyrus SASL Library.

yum install cyrus-sasl-devel cyrus-sasl-plain

Next, create a directory for SASL

mkdir -p /etc/sasl_dir

Inside the directory, create a configuration file

vi /etc/sasl_dir/memcached.conf

Add the following config lines

mech_list: plain
log_level: 5
sasldb_path: /etc/sasl2/memcached-sasldb2

In the config above mech_list has been matched to plain. This instructs Memcached to use its own password file and later verify a plaintext password.
Save the config file and exit.
Next, create a SASL database with your user credentials
Using the saslpasswd2 command, we’ll create a new user. In this case, the user is Meg

saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 Meg

You’ll be prompted for a passowrd and later be requested to verify it.

Finally , change the memcached ownership over the SASL database

chown memcached:memcached /etc/sasl2/memcached-sasldb2

Restart the Memcached service

systemctl restart memcached

Using the memstat command again as shown shown give you this output

memstat --servers="127.0.0.1" --username=meg --password=your-password

Sample Output

Server: 127.0.0.1 (11211)
     pid: 3831
     uptime: 9
     time: 1520028517
     version: 1.4.25

Allowing Access over private networks
Before you allow access from other networks, we need to adjust firewall settings.
Add a dedicated Memcached zone to the firewalld policy:

firewall-cmd --permanent --new-zone=memcached

Next, specify the port you would want to use. In this case, the port is 11211

firewall-cmd --permanent --zone=memcached --add-port=11211/tcp

Specify the client network address that should be granted access to the memcached server

firewall-cmd --permanent --zone=memcached –add-source= server_private_ip

Finally, reload the firewall to make sure the rules take effect.

firewall-cmd –reload

How to bind memcached server to private network interface

After you’ve adjusted the firewall rules, you can proceed to bind memcached server to the private network interface by modifying the /etc/sysconfig/memcached once more.

In the OPTIONS parameter replace the loopback address with the private IP of the CentOS Memcached server

OPTIONS="-l memcached_servers_private_IP -U 0 -S -vv"

e.g.

OPTIONS="-l 10.200.30.26 -U 0 -S -vv"

Restart the server

systemctl restart memcached

Check for listening connections

 netstat -pnltu

Sample Output

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
. . .
tcp        0      0 10.200.30.26:11211         0.0.0.0:*               LISTEN      2383/memcached

Canadahost

Canadian Web Hosting Service Provider, Domain Names, Canadian Network, Canadian Servers and Canadian IP Address.

Add comment