How To Secure Memcache on CentOS 7

This guide is intended for Hostwinds Cloud VPS and Dedicated Server clients who have the ability to secure Memcache and prevent Memcached amplification attempts from their server. We highly suggest this to prevent any outbound bandwidth usage from your server. To continue with this guide, you will want to be logged in as your server's root user.

Determine if Memcache is installed

Step One: You can run the following command to see the status of the Memcached service.

sudo systemctl status memcached

Secure Memcached on CentOS 7

Step One: Adjust the service parameters using your favorite text editor in your /etc/sysconfig/Memcached file. Example:

sudo nano /etc/sysconfig/memcached

Step Two: Bind the local network interface to restrict traffic by using the -l 127.0.0.1 option. Also, set -U 0 to disable the UDP listener to prevent amplification attacks from the UDP protocol.

PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1 -U 0"

Step Three: Save and close the file.

Step Four: Restart the Memcached service to apply these changes.

sudo systemctl restart memcached

Add Firewall Rule to iptables

Step One: You can add a basic firewall using iptables with the following commands:

sudo iptables -A INPUT -i lo -j ACCEPT

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

sudo iptables -A INPUT -p TCP -s --dport 11211 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

REPLACE \< YOURSERVERSIPADDRESS > above with your server's actual IP Address.

sudo iptables -P INPUT DROP

Step Two: Confirm that Memcached is currently bound to the local interface and listening only for TCP by typing:

sudo netstat -plunt

The results should indicate that Memcached is bound to localhost at 127.0.0.1:11211 and only using TCP with no references to UDP.