Memcache Security Configuration to prevent unauthorized data reading

This article focuses on the security configuration of Memcache to prevent unauthorized data reading. If you encounter such problems, you can refer to it.

The memcache server directly performs operations after being connected through the client without any verification process. In this way, it is dangerous to directly expose the server to the Internet, if data leaks are viewed by other unrelated personnel, the server is infiltrated because Mecache runs with the root permission. Besides, some unknown bugs or buffer overflow may exist, these are all unknown, so the danger is foreseeable. For the sake of security, I have made two suggestions to slightly prevent hacker intrusion or data leakage.

1. Intranet access or local access:

It is recommended that the access between the two servers is in the Intranet format, generally between the Web server and the Memcache server. Generally, the server has two NICs, one pointing to the Internet and the other pointing to the Intranet, so that the Web server can access the Memcache server through the Intranet Nic, when the Memcache server is started, it listens to the Intranet IP address and port, and the access between the Intranet can effectively prevent other illegal access.

The Code is as follows:	Copy code
# Memcached-d-m 1024-u root-l 192.168.0.200-p 11211-c 1024-P/tmp/memcached. pid Or: # Memcached-d-m 1024-u root-l 127.0.0.1-p 11211-c 1024-P/tmp/memcached. pid

The Memcache server sets the listener to use port 192.168.0.200 of the Intranet or port 11211 of the local ip address, which occupies 1024 MB of memory and allows a maximum of concurrent connections.

2. Set a firewall

Firewall is a simple and effective method. If both servers are connected to the Internet and Memcache needs to be accessed through an Internet IP address, you can use a firewall or proxy program to filter out illegal access.

In Linux, we can use iptables or FreeBSD ipfw to specify rules to prevent unauthorized access. For example, we can set to allow only our Web servers to access our Memcache server, at the same time, other accesses are blocked.

The Code is as follows:	Copy code
# Iptables-F # Iptables-P INPUT DROP # Iptables-a input-p tcp-s 192.168.0.2 -- dport 11211-j ACCEPT # Iptables-a input-p udp-s 192.168.0.2 -- dport 11211-j ACCEPT

The above iptables rule only allows access from the Web server 192.168.0.2 to the Memcache server. It can effectively prevent some illegal access and add other rules to enhance security, this can be done according to your own needs.

Of course, you can also directly reject external connection to port 11211.