Vulnerability description
Memcache is a commonly used key-value caching system, because it does not have permission control module, so the Memcache service of open Extranet is easily detected by attackers, and the sensitive information in Memcache can be read directly through command interaction.
Repair scheme
Because Memcache has no privilege control function, users need to limit the access source, and share 4 effective solutions below.
1, binding IP
If the memcache is not necessary to open the extranet, you can specify the binding IP address of 127.0.0.1 when the memcache is started. For example:
Memcached-d-M 1024-u root-l 127.0.0.1-p 11211-c 1024-p/tmp/memcached.pid
Where the-l parameter is specified as a native address.
2. Configure Iptables Rules
If the Memcache service needs to provide services externally, access control can be done through iptables.
Iptables-a input-p tcp-s 192.168.0.2--dport 11211-j
The above rules mean that only 192.168.0.2 this IP is allowed to access 11211 ports.
3, modify the configuration file
If you are using Linux, you can refer to the following methods:
View 11211 Port occupancy first
Command: Netstat-an|more
Show 0 0.0.0.0:11211 No IP restrictions
Execute command: NC-VV x.x.x.x 11211 Prompt Connection Successful
Execute command: vim/etc/sysconfig/memcached, modify configuration file
Increase Limit options= "-l 127.0.0.1″, only local access, not open to public network, save exit
Execute command:/etc/init.d/memcached Reload Restart Service
The connection command again prompts the connection to fail.
4. Server Security software
If your server has security software installed, such as a secure dog, you can configure the TCP connection policy to restrict the Memcache port's extranet IP access.