Current a lot of sites blogging about memcached attacks on Servers here some details:
- Memcached Servers need a installed and running Service called „memcached“
- Websites need a php-plugin like php7.0-memcached to connect via API to the memcached Service
- The Memcached Service uses a own Config File at debian /etc/memcached.conf
- By default it MUST listen to localhost or socket
- Admins MUST setup a FIREWALL like „ufw“ (iptables) and MUST check own Server for OPEN PORTS with nmap
- The Problem is that Attackers can run Scripts against to your Server in a 10^6 Range like a BOTNET !! with ONE PC cause MEMCACHED supports this high count of REQUESTS without going down.
- DO NEVER HOLD CONFIDENTIAL DATA ON WEBSERVERS!!!
Test to open Port using nmap Port Scan with UDP Option NOT TCP:
sudo nmap -sU -p 11211 www.myserver.xyz
If the scan echo this YOU MUST check or install a FIREWALL!:
Host is up (0.10s latency).
PORT STATE SERVICE
11211/udp open|filtered unknown
if Echo shows this you are safe:
PORT STATE SERVICE
11211/udp filtered unknown
check your current Apache PHP Modules:
$sudo php -m
if memcached listed, the php api is active time to check more..
check for memcached service:
$sudo dpkg -l |grep mem
is memcached listed the service is installed, then do:
$sudo ps aux|grep mem
if the echo shows:
memcache ... /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memcached.pid
the Service is active an listening..
# memcached default config file
# 2003 - Jay Bonci <firstname.lastname@example.org>
# This configuration file is read by the start-memcached script provided as
# part of the Debian GNU/Linux distribution.
# Run memcached as a daemon. This command is implied, and is not needed for the
# daemon to run. See the README.Debian that comes with this package for more
# Log memcached's output to /var/log/memcached
# Be verbose
# Be even more verbose (print client commands as well)
# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default
# Note that the daemon will grow to this size, but does not start out holding this much
# Default connection port is 11211
# Run the daemon as root. The start-memcached will default to running as root if no
# -u command is present in this config file
# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
# Limit the number of simultaneous incoming connections. The daemon default is 1024
# Lock down all paged memory. Consult with the README and homepage before you do this
# Return error when memory is exhausted (rather than removing items)
# Maximize core file limit
# Use a pidfile
Setup Firewall (ufw):
$sudo apt-get install ufw
$sudo ufw allow 80/tcp
$sudo ufw allow 443/tcp
$sudo ufw enable
Retest with NMAP Port Scan your OPEN Ports! Do this monthly! Cause sometimes the Firewall can have unknown Problems!!
Check the Memcached Log at /var/log/memcached.log for Events