Last Updated: June 11, 2021
· nmalcolm

Securing memcached servers

Memcached. A fabulous piece of software which offers distributed memory caching, often, to reduce the stress on database driven websites. Thousands upon thousands of websites use memcached, including Facebook — the largest user of the software —, Youtube, Twitter, Github, and many more.

This tutorial is specific for a setup where memcached is on a single server setup. For multiple servers you'd want to setup your firewall so only your servers can connect to the memcached server.

While it offers fast caching and boasts high performance, it doesn't come without a major factor in most other softwares - authentication. Yes, you heard right. No usernames, no passwords. Just a host and a port, and you're able to connect. What's more is that by default it listens on all addresses. A big no no for production and development servers alike.

If the server can listen on all addresses that means that anyone with a brain can snoop around inside the cache for various information - including passwords and other sensitive data. The server can also let us know its version which can lead to further attacks if memcached is outdated and is contains a security flaw.

As a CentOS user, the following edits are for a CentOS server. Please consult your manual for OS specific commands and paths.

The file we want to edit is /etc/sysconfig/memcached which contains a a few configurations we can change. The line we're interested in is OPTIONS which sets the arguments when the server is launched.

The -l argument is what we need to make sure memcached only listens on localhost.

-l <addr>     interface to listen on (default: INADDR_ANY, all addresses)
          <addr> may be specified as host:port. If you don't specify
          a port number, the value you specified with -p or -U is
          used. You may specify multiple addresses separated by comma
          or by using -l multiple times

So, if you haven't already guessed, we should add -l to our OPTIONS.

Your /etc/sysconfig/memcached file should now look something more or less like this:


You then want to save the file and restart the memcached server with service memcached restart

To test that it's working as expected, try to connect to the server's external IP on port 11211. If you're still able to connect, check and make sure you've made the correct changes specific to your OS and environment.

You can go more indepth with securing memcached by changing the default user, listening on a non-standard port, and even blocking connections on all ports which don't require external access, but generally the above method will suffice.

Happy hacking.

3 Responses
Add your response

@euantor I use them both. APC, as an opcode cache, increases performance even without using it in your applications whereas memcached is great for storing data, as it implies, in memory. :-)

over 1 year ago ·

@euantor Indeed it can, but even though memcached has been developed for distributed environments it does has its advantages on a single server too.

Also related; A snippet from an article on the MySQL Performance Blog:

APC will be great for caching small but frequently accessed things which are not taking too much memory. For example if you store list of states in the database you can cache it this way.

Memcached is good for caching things which take large amount of space combined and which you only need to fetch few per page. For example search results may be good candidate (assuming we want to cache them and want to cache them in memory).

APC and memcached both work in different ways and therefore have different advantages and disadvantages. For example, as APC is a PHP extension as soon as you restart your web server the cache will be emptied. With memcached, as long as the server is running (And you don't run out of memory or have a TTL set for the data) the data will always be available so there's no need to recache it each time the web server is restarted.

On larger sites you clearly don't want to have your total cache cleared - at least not in most cases. That's why I tend to use memcached in my projects while leaving APC to work in the background. :-)

over 1 year ago ·

@euantor On larger sites it can be a regular thing. For example, one piece of software I run on my server which is updated daily requires a web server restart otherwise it cannot perform the schema upgrades to the database.

It also happens under certain circumstances which you may not be aware of, for example on a handful on distros when you rotate log files Apache will restart itself on each rotate. If you're dealing with a lot of traffic under Apache, chances are it'll restart quite often.

over 1 year ago ·