Memcache the memory cache for unauthorized access vulnerability solutions

Vulnerability description

Memcache is a commonly used key-value caching system, because it does not have permission control module, so the Memcache service of open Extranet is easily detected by attackers, and the sensitive information in Memcache can be read directly through command interaction.

Repair scheme

Because Memcache has no privilege control function, users need to limit the access source, and share 4 effective solutions below.

1, binding IP

If the memcache is not necessary to open the extranet, you can specify the binding IP address of 127.0.0.1 when the memcache is started. For example:
Memcached-d-M 1024-u root-l 127.0.0.1-p 11211-c 1024-p/tmp/memcached.pid
Where the-l parameter is specified as a native address.

2. Configure Iptables Rules

If the Memcache service needs to provide services externally, access control can be done through iptables.
Iptables-a input-p tcp-s 192.168.0.2--dport 11211-j
The above rules mean that only 192.168.0.2 this IP is allowed to access 11211 ports.

3, modify the configuration file

If you are using Linux, you can refer to the following methods:

View 11211 Port occupancy first

Command: Netstat-an|more

Show 0 0.0.0.0:11211 No IP restrictions

Execute command: NC-VV x.x.x.x 11211 Prompt Connection Successful

Execute command: vim/etc/sysconfig/memcached, modify configuration file

Increase Limit options= "-l 127.0.0.1″, only local access, not open to public network, save exit

Execute command:/etc/init.d/memcached Reload Restart Service

The connection command again prompts the connection to fail.

4. Server Security software

If your server has security software installed, such as a secure dog, you can configure the TCP connection policy to restrict the Memcache port's extranet IP access.