Current a lot of sites blogging about memcached attacks on Servers here some details:
- Memcached Servers need a installed and running Service called “memcached”
- Websites need a php-plugin like php7.0-memcached to connect via API to the memcached Service
- The Memcached Service uses a own Config File at debian /etc/memcached.conf
- By default it MUST listen to localhost or socket
- Admins MUST setup a FIREWALL like “ufw” (iptables) and MUST check own Server for OPEN PORTS with nmap
- The Problem is that Attackers can run Scripts against to your Server in a 10^6 Range like a BOTNET !! with ONE PC cause MEMCACHED supports this high count of REQUESTS without going down.
- DO NEVER HOLD CONFIDENTIAL DATA ON WEBSERVERS!!!
Test to open Port using nmap Port Scan with UDP Option NOT TCP:
sudo nmap -sU -p 11211 www.myserver.xyz
If the scan echo this YOU MUST check or install a FIREWALL!:
Host is up (0.10s latency). PORT STATE SERVICE 11211/udp open|filtered unknown
if Echo shows this you are safe:
PORT STATE SERVICE 11211/udp filtered unknown
check your current Apache PHP Modules:
$sudo php -m
if memcached listed, the php api is active time to check more..
check for memcached service:
$sudo dpkg -l |grep mem
is memcached listed the service is installed, then do:
$sudo ps aux|grep mem
if the echo shows:
memcache ... /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memcached.pid
the Service is active an listening..
Sample Config:
/etc/memcached.conf
# memcached default config file # 2003 - Jay Bonci <jaybonci@debian.org> # This configuration file is read by the start-memcached script provided as # part of the Debian GNU/Linux distribution. # Run memcached as a daemon. This command is implied, and is not needed for the # daemon to run. See the README.Debian that comes with this package for more # information. -d # Log memcached's output to /var/log/memcached logfile /var/log/memcached.log # Be verbose -v # Be even more verbose (print client commands as well) -vv # Start with a cap of 64 megs of memory. It's reasonable, and the daemon default # Note that the daemon will grow to this size, but does not start out holding this much # memory -m 128 # Default connection port is 11211 -p 11211 # Run the daemon as root. The start-memcached will default to running as root if no # -u command is present in this config file -u memcache # Specify which IP address to listen on. The default is to listen on all IP addresses # This parameter is one of the only security measures that memcached has, so make sure # it's listening on a firewalled interface. -l 127.0.0.1 # Limit the number of simultaneous incoming connections. The daemon default is 1024 -c 300 # Lock down all paged memory. Consult with the README and homepage before you do this # -k # Return error when memory is exhausted (rather than removing items) -M # Maximize core file limit # -r # Use a pidfile -P /var/run/memcached/memcached.pid
Setup Firewall (ufw):
$sudo apt-get install ufw $sudo ufw allow 80/tcp $sudo ufw allow 443/tcp $sudo ufw enable
Retest with NMAP Port Scan your OPEN Ports! Do this monthly! Cause sometimes the Firewall can have unknown Problems!!
Check the Memcached Log at /var/log/memcached.log for Events