Secure Memcached on Linux


Memcached

Memcached is Vulnerable and hacker can use your server to DDOS victims, so you must secure your memcached server.

I. By iptables

Step 1: disable all connect to port 11211

iptables -I INPUT -p udp --dport 11211 -j DROP
iptables -I INPUT -p tcp --dport 11211 -j DROP

Step 2: open port 11211 for only localhost

iptables -I INPUT -p udp -s 127.0.0.1 --dport 11211 -j ACCEPT
iptables -I INPUT -p tcp -s 127.0.0.1 --dport 11211 -j ACCEPT

Step 3: open port 11211 for your other server:

For one IP:

iptables -I INPUT -p udp -s 11.11.11.11 --dport 11211 -j ACCEPT
iptables -I INPUT -p tcp -s 11.11.11.11 --dport 11211 -j ACCEPT
service iptables save

For IP CIDR:

iptables -I INPUT -p udp -s 11.11.11.11/16 --dport 11211 -j ACCEPT
iptables -I INPUT -p tcp -s 11.11.11.11/16 --dport 11211 -j ACCEPT
service iptables save

II. By firewalld

Step 1: disable all connect to port 11211

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="tcp" port="11211" reject'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="udp" port="11211" reject'

Step 2: open port 11211 for only localhost

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="127.0.0.1" port protocol="tcp" port="11211" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="127.0.0.1" port protocol="udp" port="11211" accept'

Step 3: open port 11211 for your other server:

For one IP:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.11.11.11" port protocol="tcp" port="11211" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.11.11.11" port protocol="udp" port="11211" accept'
sudo firewall-cmd --reload

For IP CIDR:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.11.11.11/16" port protocol="tcp" port="11211" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.11.11.11/16" port protocol="udp" port="11211" accept'
sudo firewall-cmd --reload

Leave a Reply