Skip to content

Commit

Permalink
[NEW] Installing and Securing Memcached on Debian (#3966)
Browse files Browse the repository at this point in the history 
* Initial draft.

* Initial draft.

* Formatting fixes.

* Tech Edit 1

* Blueberry Fixes

* More Blueberry Fixes

* copy edits

---------

Co-authored-by: danielsen <[email protected]>
Co-authored-by: Adam Overa <[email protected]>
Co-authored-by: John Dutton <[email protected]>
  • Loading branch information
@danielsen @landlines
@adamovera @jddocs
4 people authored Jul 16, 2024
1 parent 8271f97 commit 377816a
Showing 1 changed file with 321 additions and 0 deletions.
321 changes: 321 additions & 0 deletions ...es/memcached/install-and-secure-memcached-on-debian-11-and-ubuntu-2204/index.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,321 @@
---
slug: install-and-secure-memcached-on-debian-11-and-ubuntu-2204
title: "Install and Secure Memcached on Debian 11 and Ubuntu 22.04"
description: "Learn how to install and configure Memcached on Debian and Ubuntu, and then secure your installation using SASL authentication and firewall rules."
authors: ["Dan Nielsen"]
contributors: ["Dan Nielsen"]
published: 2024-06-03
keywords: ['memcached', 'debian', 'ubuntu', 'sasl', 'secure memcached']
license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)'
external_resources:
- '[Memcached](https://www.memcached.org)'
---

[*Memcached*](https://memcached.org/) is an in-memory key-value store for small chunks of arbitrary data. Memcached is often used to enhance web application performance and scalability by temporarily caching frequently accessed data and reducing direct requests to databases.

This guide walks through the installation steps for Memcached on Debian 11 and Ubuntu 22.04 LTS systems. Additionally, it goes over multiple solutions for securing your Memcached installation, including SASL authentication and adding firewall rules with UFW.

## Before You Begin

1. If you do not already have a virtual machine to use, create a Compute Instance with at least 4 GB of memory. See our [Getting Started with Linode](/docs/products/platform/get-started/) and [Creating a Compute Instance](/docs/products/compute/compute-instances/guides/create/) guides.

1. Follow our [Setting Up and Securing a Compute Instance](/docs/products/compute/compute-instances/guides/set-up-and-secure/) guide to update your system. You may also wish to set the timezone, configure your hostname, create a limited user account, and harden SSH access.

1. Follow our [How to Configure a Firewall with UFW](/docs/guides/configure-firewall-with-ufw/) guide to install UFW, allow SSH access, and enable the firewall.

{{< note >}}
This guide is written for a non-root user. Commands that require elevated privileges are prefixed with `sudo`. If you’re not familiar with the `sudo` command, see the [Users and Groups](/docs/guides/linux-users-and-groups/) guide.
{{< /note >}}

## Install Memcached

Memcached is available from the official Debian and Ubuntu repositories.

1. First, install Memcached:

```command
sudo apt install memcached
```

1. Next, install `libmemcached-tools`, a library that provides several tools for interacting with Memcached servers:

```command
sudo apt install libmemcached-tools
```

1. Verify that Memcached is installed and running:

```command
sudo systemctl status memcached
```

The expected output should resemble:

```output
● memcached.service - memcached daemon
Loaded: loaded (/lib/systemd/system/memcached.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2024-06-06 11:29:42 EDT; 18s ago
```

Press the <kbd>Q</kbd> to exit the status output and return to the terminal prompt.

1. Make sure that Memcached is listening on the default address:

```command
sudo ss -plunt | grep memcached
```

By default, there should only be one IPv4 localhost (`127.0.0.1`) entry for Memcached:

```output
tcp LISTEN 0 1024 127.0.0.1:11211 0.0.0.0:* users:(("memcached",pid=1789,fd=26))
```

1. Use the `memcstat` tool to check the status of Memcached on `127.0.0.1`:

```command
memcstat --servers="127.0.0.1"
```

```output
Server: 127.0.0.1 (11211)
pid: 1789
uptime: 420
time: 1717688200
version: 1.6.9
...
```

## Securing the Installation

The following sections cover various solutions for securing a Memcached installation. These steps are not strictly necessary when Memcached listens locally. However, if Memcached is exposed over a network, all of these sections should be completed to protect it from unauthorized access and other potential security threats.

### Open External Access and Disable UDP

1. Using a text editor, open the `/etc/memcached.conf` file:

```command
sudo nano /etc/memcached.conf
```

The default Memcached network address on Debian and Ubuntu is the local address (`127.0.0.1`). To open Memcached over the network, add your Compute Instances's external IP address. Disabling UDP using `-U 0` in the configuration is also recommended when opening Memcached access.
Save your changes once you are done editing the configuration file.
```file {title="/etc/memcached.conf" lang="conf" linenostart="31" hl_lines="6-9"}
...
# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1
-l {{< placeholder "IP_ADDRESS" >}}

# Disable UDP
-U 0

# Limit the number of simultaneous incoming connections. The daemon default is 10>
# -c 1024
...
```
1. Restart Memcached to apply the changes:
```command
sudo systemctl restart memcached
```
1. Verify the network changes with the `ss` and `grep` commands from before:
```command
sudo ss -plunt | grep memcached
```
There should now be a second Memcached entry for your compute instance's external IP address:
```output
tcp LISTEN 0 1024 {{< placeholder "IP_ADDRESS" >}}:11211 0.0.0.0:* users:(("memcached",pid=2477,fd=27))
tcp LISTEN 0 1024 127.0.0.1:11211 0.0.0.0:* users:(("memcached",pid=2477,fd=26))
```
1. Use the `memcstat` tool to check the status of Memcached on your Compute Instance's external IP address. Replace {{< placeholder "IP_ADDRESS" >}} with your instance's IP:
```command
memcstat --servers="{{< placeholder "IP_ADDRESS" >}}"
```
```output
Server: {{< placeholder "IP_ADDRESS" >}} (11211)
pid: 2477
uptime: 203
time: 1717688684
version: 1.6.9
...
```
### Add Firewall Rules
The below steps use `ufw` to manage firewall rules.
1. Add a single firewall rule to allow limited access to port `11211` from a remote machine. Replace {{< placeholder "CLIENT_IP_ADDRESS" >}} with the IP address of the remote machine you want to access the Memcached server from:
```command
sudo ufw allow proto tcp from {{< placeholder "CLIENT_IP_ADDRESS" >}} to any port 11211
```
```output
Rule added
```
1. Verify that the rule has been added to UFW:
```command
sudo ufw status
```
```output
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
11211/tcp ALLOW {{< placeholder "CLIENT_IP_ADDRESS" >}}
22/tcp (v6) ALLOW Anywhere (v6)
```
1. From the remote client machine, run `memcstat` again on your Compute Instance's external {{< placeholder "IP_ADDRESS" >}} to confirm a connection:
```command
memcstat --servers="{{< placeholder "IP_ADDRESS" >}}"
```
```output
Server: 172.233.162.226 (11211)
pid: 2477
uptime: 1102
time: 1717689583
version: 1.6.9
```
{{< note >}}
The remote client machine must also have Memcached and `libmemcached-tools` installed.
{{< /note >}}
### Install and Configure SASL
Memcached doesn't provide internal authentication procedures. However, Simple Authentication and Security Layer (SASL) can be used to provide authentication to Memcached. SASL is a framework that de-couples authentication procedures from application protocols.
1. First, install SASL:
```command
sudo apt install sasl2-bin
```
1. Next, create the directory that the Memcached uses for SASL configuration:
```command
sudo mkdir -p /etc/sasl2
```
1. Now create a `memcached.conf` SASL configuration file in that directory:
```command
sudo nano /etc/sasl2/memcached.conf
```
Add the following content to the SASL configuration file, and save your changes:
```file {title="/etc/sasl2/memcached.conf" lang="conf"}
mech_list: plain
log_level: 5
sasldb_path: /etc/sasl2/memcached-sasldb2
```
### Add Authorized Users
1. Create a SASL database and user. Replace {{< placeholder "SASL_USERNAME" >}} with a username of your choice:
```command
sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 {{< placeholder "SASL_USERNAME" >}}
```
Enter a password of your choosing, and verify that password:
```output
Password:
Again (for verification):
```
1. Give Memcached ownership of the database:
```command
sudo chown memcache:memcache /etc/sasl2/memcached-sasldb2
```
### Enable SASL
1. With a text editor, open the `/etc/memcached.conf` file:
```command
sudo nano /etc/memcached.conf
```
Enable SASL by adding the `-S` parameter to `/etc/memcached.conf`, and save your changes:
```file {title="/etc/memcached.conf" lang="conf" linenostart="31" hl_lines="11,12"}
...
# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1
-l {{< placeholder "IP_ADDRESS" >}}
# Disable UDP
-U 0
# Enable SASL authenication
-S
# Limit the number of simultaneous incoming connections. The daemon default is 10>
# -c 1024
...
```

1. Restart Memcached to apply the changes:

```command
sudo systemctl restart memcached
```

1. Check the Memcached status locally once again. Replace {{< placeholder "SASL_USERNAME" >}} and {{< placeholder "SASL_PASSWORD" >}} with your chosen username and password:

```command
sudo memcstat --servers="127.0.0.1" --username="{{< placeholder "SASL_USERNAME" >}}" --password="{{< placeholder "SASL_PASSWORD" >}}"
```

The output should look similar to this:

```output
Server: 127.0.0.1 (11211)
pid: 2956
uptime: 198
time: 1717690598
version: 1.6.9
...
```

1. Repeat the process from the remote machine, using your Compute Instance's external IP address instead of `127.0.0.1`:
```command
sudo memcstat --servers="{{< placeholder "IP_ADDRESS" >}}" --username="{{< placeholder "SASL_USERNAME" >}}" --password="{{< placeholder "SASL_PASSWORD" >}}"
```
The output should be the same as above:
```output
Server: 172.233.162.226 (11211)
pid: 2956
uptime: 271
time: 1717690671
version: 1.6.9
...
```

0 comments on commit 377816a

Please sign in to comment.