Article overview

Help article

How do I protect my Memcache service against abuse?

An open Memcache service can be abused as a reflector in a Distributed Denial-of-Service (DDoS) attack.

In this article we'll show you how to restrict access to the Memcache service on your VPS, or close the Memcache port.

Restrict access to the Memcache service

You can configure the Memcache service so only your own VPS can make use of it.

Step 1

Connect to your VPS using SSH, or the VPS console and use the following command:

nano /etc/memcached.conf

Step 2

Scroll down in the file and look for the code below:

-l 123.123.123.123

123.123.123.123 is your configured IP-address. Change this to the value below, or add the value below if the above doesn't exist yet:

-l 127.0.0.1

Restrict Memcache access to specific IP's

In stead of restricting access to only your VPS, there are two alternatives you can use to allow another VPS to access the Memcache service on your VPS:

  • You can use a private network and add the corresponding VPS'es.
  • Close the Memcache poort (UDP 11211) in your firewall and only allow specific IP-adresses access. The instructions for FirewallD and IPTables are as follows:

FirewallD

Step 1

Close UDP poort 11211 using:

firewall-cmd --zone=public --remove-port=11211/udp

Step 2

Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.

sudo firewall-cmd --permanent --zone=public --add-rich-rule='
rule family="ïpv4"
source address="1.2.3.4"
port protocol="udp" port="11211" accept'

Replace 1.2.3.4 by your IP-address and repeat the steps process to allow more IP's access.


Step 3

Restart your firewall:

sudo firewall-cmd --reload

IPTables

Step 1

Close UDP poort 11211 using:

íptables -A INPUT -p udp --dport 11211 -j DROP

Step 2

Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.

iptables -I INPUT -p udp -s 1.2.3.4 --dport 22 -j ACCEPT

Replace 1.2.3.4 by your IP-address and repeat the steps process to allow more IP's access.


Step 3

Restart your firewall:

iptables-save | sudo tee /etc/sysconfig/iptables
service iptables restart

Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.

Are you stuck?

Ask one of our specialists to assist you

Contact us