Memcache Security Configuration

0x00 Memcache Overview

Memcache is a high-performance distributed memory object cache system. By maintaining a unified and huge hash table in the memory, Memcache can be used to store data in various formats, including image, video, file, and database retrieval results. Simply put, the data is called to the memory and then read from the memory, which greatly improves the reading speed.

Memcache is a danga project that was first developed for the LiveJournal service and was later used by many large websites to accelerate the LiveJournal access speed.

Memcached runs on one or more servers as a daemon and receives client connections and operations at any time.

 

0x01 set up Memcache Service

yum install memcached 

Install memcache Server

yum -y install php-pecl-memcache 

Install php extension for memcache

php -m | grep memcache 

Check whether php extension is successfully installed

memcached -d -m 100 -u root -l x.x.x.x -p 11211 -c 512 -P /tmp/memcached.pid

Parameter description:

The-d option is to start a daemon process.-m is the amount of memory allocated to Memcache. The unit is MB. Here, it is 100 MB.-u is the user who runs Memcache, here I am root;-l is the Server IP address of the listener I have specified the Server IP address x. x. x. x;-p indicates the port for Memcache listening. I have set 11211 here, preferably over 1024.-c indicates the maximum number of concurrent connections. The default value is 1024, I set 512 here and set it according to the load of your server.-P is the pid file for saving Memcache, And I am saving it in/tmp/memcached. pid;

To end the memcache Process

kill `cat /tmp/memcached.pid` 

Set startup

chkconfig memcached on 

PhpMemcachedAdmin graphical interface for memcache operations, similar to phpmyadmin

Http://blog.elijaa.org/index.php? Pages/phpMemcachedAdmin-Installation-Guide

Default interface for the latest version

Execute Commands on Servers can Execute Commands.

Of course, telnet is the same.

0x02 memcache Anonymous Access hazards

Among the vulnerabilities submitted by wooyun, there are many information leakage problems due to the limited memecache:

Memcached has no IP address restriction, so the cached data can be controlled by attackers.

To obtain information from memcache, you must first view the items information:

Stats items

Stats cachedump <item: id> <number of returned results, 0 indicates all returned results>

In addition to viewing information, you can modify the deletion information.

PhpMemcachedAdmin also has a script that can search for keys and supports regular expression matching.

0x03 searching for anonymous access to memcache

Memcache uses port 11211 by default. You can use nmap to scan servers with port 11211 enabled.

nmap -n --open -p 11211 X.X.X.X/24

Then telnet and execute

stats items

Check whether any returned results exist.

0x04 Security Configuration

The Memcache server directly performs operations after being connected through the client without any verification process. In this way, it is dangerous to directly expose the server to the Internet, if data leaks are viewed by other unrelated personnel, the server is infiltrated because Mecache runs with the root permission. Besides, some unknown bugs or buffer overflow may exist, these are all unknown, so the danger is foreseeable.

Intranet access

It is recommended that the access between the two servers is in the Intranet format, generally between the Web server and the Memcache server. Generally, the server has two NICs, one pointing to the Internet and the other pointing to the Intranet, so that the Web server can access the Memcache server through the Intranet Nic, when the Memcache server is started, it listens to the Intranet IP address and port, and the access between the Intranet can effectively prevent other illegal access.

# memcached -d -m 1024 -u root -l 192.168.0.200 -p 11211 -c 1024 -P /tmp/memcached.pid

The Memcache server sets listening to port 11211 of the ip address 192.168.0.200 over the Intranet, occupying 1024 MB of memory and allowing a maximum of concurrent connections.

Set firewall

Firewall is a simple and effective method. If both servers are connected to the Internet and Memcache needs to be accessed through an Internet IP address, you can use a firewall or proxy program to filter out illegal access. In Linux, we can use iptables or FreeBSD ipfw to specify rules to prevent unauthorized access. For example, we can set to allow only our Web servers to access our Memcache server, at the same time, other accesses are blocked.

# iptables -F# iptables -P INPUT DROP# iptables -A INPUT -p tcp -s 192.168.0.2 --dport 11211 -j ACCEPT# iptables -A INPUT -p udp -s 192.168.0.2 --dport 11211 -j ACCEPT

The above iptables rule only allows access from the Web server 192.168.0.2 to the Memcache server. It can effectively prevent some illegal access and add other rules to enhance security, this can be done according to your own needs.