Article overview

Help article

How do I protect my Memcache service against abuse?

An open Memcache service can be abused as a reflector in a Distributed Denial-of-Service (DDoS) attack.

In this article we'll show you how to restrict access to the Memcache service on your VPS, or close the Memcache port.

Use sudo, or a root-user, when following the steps in this guide.


Restrict access to the Memcache service

You can configure the Memcache service so only your own VPS can make use of it.

 

Step 1

Connect to your VPS using SSH, or the VPS console and use the following command:

nano /etc/memcached.conf

 

Step 2

Scroll down in the file and look for the code below:

-l 123.123.123.123

Instead of 123.123.123.123 you will see your configured IP-address. Change this to the value below, or add the value below if the above doesn't exist yet:

-l 127.0.0.1

Restrict Memcache access to specific IP's

In stead of restricting access to only your VPS, there are two alternatives you can use to allow another VPS to access the Memcache service on your VPS:

  • You can use a private network and add the corresponding VPS'es. You should still close UDP port 11211 on your public network interface when taking this option.
  • Close the Memcache poort (UDP 11211) in your firewall and only allow specific IP-adresses access. The instructions for FirewallD, UFW and IPTables are as follows:

FirewallD

Step 1

Close UDP poort 11211 using:

firewall-cmd --zone=public --remove-port=11211/udp

 

Step 2

Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.

sudo firewall-cmd --permanent --zone=public --add-rich-rule='
rule family="ïpv4"
source address="123.123.123.123"
port protocol="udp" port="11211" accept'

Replace 123.123.123.123 by your IP-address and repeat the steps process to allow more IP's access.


 

Step 3

Reload your firewall to process the configuration changes:

sudo firewall-cmd --reload

UFW

Step 1

Close UDP poort 11211 using:

ufw deny 11211/udp

 

Step 2

Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.

ufw allow from 123.123.123.123 to any port 11211 proto udp

Replace 123.123.123.123 by your IP-address and repeat the steps process to allow more IP's access.


IPTables

Step 1

Close UDP poort 11211 using:

íptables -A INPUT -p udp --dport 11211 -j DROP

 

Step 2

Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.

iptables -I INPUT -p udp -s 123.123.123.123 --dport 11211 -j ACCEPT

Replace 123.123.123.123 by your IP-address and repeat the steps process to allow more IP's access.


 

Step 3

Restart your firewall:

iptables-save | sudo tee /etc/sysconfig/iptables
service iptables restart

 

Your VPS is now secured against abuse of the Memcache service. Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.

Are you stuck?

Ask one of our specialists to assist you

Contact us