Secure Memcached on Linux

phptuts December 20, 2018

Memcached

Memcached is Vulnerable and hacker can use your server to DDOS victims, so you must secure your memcached server.

I. By iptables

Step 1: disable all connect to port 11211

iptables -I INPUT -p udp --dport 11211 -j DROP
iptables -I INPUT -p tcp --dport 11211 -j DROP

Step 2: open port 11211 for only localhost

iptables -I INPUT -p udp -s 127.0.0.1 --dport 11211 -j ACCEPT
iptables -I INPUT -p tcp -s 127.0.0.1 --dport 11211 -j ACCEPT

Step 3: open port 11211 for your other server:

For one IP:

iptables -I INPUT -p udp -s 11.11.11.11 --dport 11211 -j ACCEPT
iptables -I INPUT -p tcp -s 11.11.11.11 --dport 11211 -j ACCEPT
service iptables save

For IP CIDR:

iptables -I INPUT -p udp -s 11.11.11.11/16 --dport 11211 -j ACCEPT
iptables -I INPUT -p tcp -s 11.11.11.11/16 --dport 11211 -j ACCEPT
service iptables save

II. By firewalld

Step 1: disable all connect to port 11211

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="tcp" port="11211" reject'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="udp" port="11211" reject'

Step 2: open port 11211 for only localhost

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="127.0.0.1" port protocol="tcp" port="11211" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="127.0.0.1" port protocol="udp" port="11211" accept'

Step 3: open port 11211 for your other server:

For one IP:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.11.11.11" port protocol="tcp" port="11211" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.11.11.11" port protocol="udp" port="11211" accept'
sudo firewall-cmd --reload

For IP CIDR:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.11.11.11/16" port protocol="tcp" port="11211" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.11.11.11/16" port protocol="udp" port="11211" accept'
sudo firewall-cmd --reload

phptuts

Related Posts

Leave a Reply