Advisory : Bind Memcache to 127.0.0.1 and Disable UDP
Securing Memcached on Ubuntu and Debian Servers
By Default memcache is listening to TCP and UDP, you can verify it using the below command
#sudo netstat -plunt | grep memcached tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 1243/memcached udp 0 0 127.0.0.1:11211 0.0.0.0:* 1243/memcached
For Securing this we need to disable the memcache listening to UDP port by editing the memcahed conf(/etc/memcached.conf)
sudo nano /etc/memcached.conf
By default, Ubuntu and Debian bind Memcached to the local interface 127.0.0.1
. Installations bound to 127.0.0.1
are not vulnerable to amplification attacks from the network. Check that the -l
option is set to this address to confirm the behavior:
-l 127.0.0.1 . . .
To disable UDP we need to add the below line in /etc/memcached.conf
-U 0
When you are finished, save and close the file.
Restart your Memcached service to apply your changes:
sudo service memcached restart
Verify that Memcached is currently bound to the local interface and listening only for TCP by typing
sudo netstat -plunt | grep memcached tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 1891/memcached
You should see memcached
bound to the 127.0.0.1
address using only TCP.
Securing Memcached on RHEL and CentOS Servers
For Memcached services running on CentOS and Fedora servers, you can adjust the service parameters by editing the /etc/sysconfig/memcached
file with vi
, for instance:
#netstat -plunt | grep memcached tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 1916/memcached tcp6 0 0 :::11211 :::* LISTEN 1916/memcached udp 0 0 0.0.0.0:11211 0.0.0.0:* 1916/memcached udp6 0 0 :::11211 :::* 1916/memcached
For Securing this we need to disable the memcache listening to UDP port by editing the memcahed conf(/etc/sysconfig/memcached)
vi /etc/sysconfig/memcached
To make memcached to listen to 127.0.0.1 and disable UDP we need to add the below line in /etc/sysconfig/memcached
OPTIONS="-l 127.0.0.1 -U 0"
When you are finished, save and close the file.
Restart your Memcached service to apply your changes:
sudo service memcached restart
Verify that Memcached is currently bound to the local interface and listening only for TCP by typing
netstat -plunt | grep memcached tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 1946/memcached
You should see memcached
bound to the 127.0.0.1
address using only TCP