• Auto secure Memcached

 #1669  by vpssim82
 16 Aug 2018 01:25
Hi vpssim,

can you please auto edit the memcached to make it more secure. I just got email from hetzner that said, memcached is being used back hacker to attack server.

I google about it and found a simple solution, it will be nice if when we enable memcached the memcached config already edit to secure the server.


To ensure that our Memcached instance is listening on the local interface, we will modify the OPTIONS variable in the configuration file located at /etc/sysconfig/memcached. We will also disable the UDP listener. Both of these actions will protect our server from denial of service attacks.

You can open /etc/sysconfig/memcached with vi:

sudo vi /etc/sysconfig/memcached

Locate the OPTIONS variable, which will initially look like this:

. . .

Binding to our local network interface will restrict traffic to clients on the same machine. We will do this by adding -l to our OPTIONS variable. This may be too restrictive for certain environments, but it can make a good starting point as a security measure.

Because UDP protocol is much more effective for denial of service attacks than TCP, we can also disable the UDP listener. To do this, we will add the -U 0 parameter to our OPTIONS variable. The file in full should look like this:

OPTIONS="-l -U 0"

Save and close the file when you are done.

Restart your Memcached service to apply your changes:

sudo systemctl restart memcached

Verify that Memcached is currently bound to the local interface and listening only for TCP connections by typing:

sudo netstat -plunt

You should see the following output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
. . .
tcp 0 0* LISTEN 2383/memcached
. . .

This confirms that memcached is bound to the address using only TCP.
nguyenoanh liked this
This topic has 1 reply
You must be a registered member and logged in to view the replies in this topic.