4

In Debian, I have installed memcached (using this guide) to lower the otherwise unmanageable load on mysql database. The database is on a separate server, and memcached and Varnish are on the front server. Is it a potential security hole to leave memcached unprotected by a firewall? If so, how should I secure it? The situation is especially worrisome,as I've received (unproved) reports of cookie thefts on the server. Thanks

alfish
  • 3,127
  • 15
  • 47
  • 71

1 Answers1

9

Just block the memcached port in firewall and allow access only from the database server. This should give you some protection. Also you can bring up a SSL tunnel between the mysql and memcached server and make the memcached-mysql data flow through it only.

For the SSL tunnel you can use IPSEC, to set it up you can follow the tutorial at http://wiki.debian.org/IPsec or http://lartc.org/howto/lartc.ipsec.tunnel.html

For blocking the port for all ip's except one you can issue an iptables command like:

iptables -A INPUT -s 2.2.2.2/32 -p tcp --destination-port 11211 -j ALLOW
iptables -A INPUT -s 0.0.0.0/0 -p tcp --destination-port 11211 -j DROP

or:

iptables -A INPUT -s !2.2.2.2/32 -p tcp --destination-port 11211 -j DROP

Also as I understand your webserver and memcached server are on the same machine? If so then it is your webserver that will communicate with memcached rather then the mysql server. It will just either get the data from cache or if it's not present in the cache will get it from the mysql server. In this case it's just enough to bind memcached to localhost so only your webserver can access memcached using php, ruby, python or any other language code, this should as safe as it can be.

Logic Wreck
  • 1,420
  • 9
  • 8
  • Will you please elaborate on how to do these, assuming that my web server's IP is at 1.1.1.1 and database servers' Ip 2.2.2.2? Thanks – alfish Sep 04 '12 at 21:44
  • I've edited my answer with more info. – Logic Wreck Sep 04 '12 at 21:57
  • As you notices, memcached is on the webserver, so I think you need to edit the iptables rules accrodingly. – alfish Sep 04 '12 at 22:00
  • Well - if it's on the webserver then probably there is no need to do that, it's better to just bind it to localhost on the webserver since it will be the webserver which will use it directly and not mysql. This will really be the safest option. – Logic Wreck Sep 04 '12 at 22:04
  • So, just to clarify, to bind memcached to the localhost. I need to put 127.0.0.1 instead of 2.2.2.2 in the rules above. Correct? – alfish Sep 04 '12 at 22:05
  • No, you'll need to configure memcached to run on localhost like described here - http://blog.codesherpas.com/on_the_path/2010/08/securing-memcache-in-2-minutes.html - it shows how to configure memcached to listen only on localhost. This is not done in the firewall. – Logic Wreck Sep 04 '12 at 22:10
  • Well the guide in the link is for Centos 5.3, and while it is interesting, not really applicable for Debian 6, as /etc/memcached.conf has already '-l 127.0.0.1' uncommented by default. – alfish Sep 04 '12 at 22:53
  • Then you're all set already, memcached listens only on localhost and thus is secured. – Logic Wreck Sep 05 '12 at 09:15