Memcached. A fabulous piece of software which offers distributed memory caching, often, to reduce the stress on database driven websites. Thousands upon thousands of websites use memcached, including Facebook — the largest user of the software —, Youtube, Twitter, Github, and many more.
This tutorial is specific for a setup where memcached is on a single server setup. For multiple servers you'd want to setup your firewall so only your servers can connect to the memcached server.
While it offers fast caching and boasts high performance, it doesn't come without a major factor in most other softwares - authentication. Yes, you heard right. No usernames, no passwords. Just a host and a port, and you're able to connect. What's more is that by default it listens on all addresses. A big no no for production and development servers alike.
If the server can listen on all addresses that means that anyone with a brain can snoop around inside the cache for various information - including passwords and other sensitive data. The server can also let us know its version which can lead to further attacks if memcached is outdated and is contains a security flaw.
As a CentOS user, the following edits are for a CentOS server. Please consult your manual for OS specific commands and paths.
The file we want to edit is /etc/sysconfig/memcached which contains a a few configurations we can change. The line we're interested in is OPTIONS which sets the arguments when the server is launched.
The -l argument is what we need to make sure memcached only listens on localhost.
-l <addr> interface to listen on (default: INADDR_ANY, all addresses)
<addr> may be specified as host:port. If you don't specify
a port number, the value you specified with -p or -U is
used. You may specify multiple addresses separated by comma
or by using -l multiple times
So, if you haven't already guessed, we should add -l 127.0.0.1 to our OPTIONS.
Your /etc/sysconfig/memcached file should now look something more or less like this:
You then want to save the file and restart the memcached server with service memcached restart
To test that it's working as expected, try to connect to the server's external IP on port 11211. If you're still able to connect, check and make sure you've made the correct changes specific to your OS and environment.
You can go more indepth with securing memcached by changing the default user, listening on a non-standard port, and even blocking connections on all ports which don't require external access, but generally the above method will suffice.