Apache MEMCACHED UDP Protection

Current a lot of sites blogging about memcached attacks on Servers here some details:

  • Memcached Servers need a installed and running Service called „memcached“
  • Websites need a php-plugin like php7.0-memcached to connect via API to the memcached Service
  • The Memcached Service uses a own Config File at debian /etc/memcached.conf
  • By default it MUST listen to localhost or socket
  • Admins MUST setup a FIREWALL like „ufw“ (iptables) and MUST check own Server for OPEN PORTS with nmap
  • The Problem is that Attackers can run Scripts against to your Server in a 10^6 Range like a BOTNET !! with ONE PC cause MEMCACHED supports this high count of REQUESTS without going down.
  • DO NEVER HOLD CONFIDENTIAL DATA ON WEBSERVERS!!!

Test to open Port using nmap Port Scan with UDP Option NOT TCP:

sudo nmap -sU -p 11211 www.myserver.xyz

If the scan echo this YOU MUST check or install a FIREWALL!:
Host is up (0.10s latency).
PORT      STATE         SERVICE
11211/udp open|filtered unknown

if Echo shows this you are safe:
PORT      STATE    SERVICE
11211/udp filtered unknown

check your current Apache PHP Modules:

$sudo php -m

if memcached listed, the php api is active time to check more..

check for memcached service:

$sudo dpkg -l |grep mem

is memcached listed the service is installed, then do:
$sudo ps aux|grep mem

if the echo shows:
memcache ... /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memcached.pid

the Service is active an listening..

Sample Config:
/etc/memcached.conf

# memcached default config file
# 2003 - Jay Bonci <jaybonci@debian.org>
# This configuration file is read by the start-memcached script provided as
# part of the Debian GNU/Linux distribution.
# Run memcached as a daemon. This command is implied, and is not needed for the
# daemon to run. See the README.Debian that comes with this package for more
# information.
-d
# Log memcached's output to /var/log/memcached
logfile /var/log/memcached.log
# Be verbose
-v
# Be even more verbose (print client commands as well)
-vv
# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default
# Note that the daemon will grow to this size, but does not start out holding this much
# memory
-m 128
# Default connection port is 11211
-p 11211
# Run the daemon as root. The start-memcached will default to running as root if no
# -u command is present in this config file
-u memcache
# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1
# Limit the number of simultaneous incoming connections. The daemon default is 1024
-c 300
# Lock down all paged memory. Consult with the README and homepage before you do this
# -k
# Return error when memory is exhausted (rather than removing items)
-M
# Maximize core file limit
# -r
# Use a pidfile
-P /var/run/memcached/memcached.pid

Setup Firewall (ufw):

$sudo apt-get install ufw
$sudo ufw allow 80/tcp
$sudo ufw allow 443/tcp
$sudo ufw enable

Retest with NMAP Port Scan your OPEN Ports! Do this monthly! Cause sometimes the Firewall can have unknown Problems!!

Check the Memcached Log at /var/log/memcached.log for Events

Debian: without sytemd

If you run Debian Servers, you read last weeks about security problems of systemd service manager.

On several tests i have seen much systems having problems on service starts on boot like on debian, raspian ..

This is a result of not clean redesigned scripts of the services by the Maintainers like the Proxy Server „privoxy“ Package…

For Tests i decided to try the new Debian Fork Replacement DEVUAN  for Desktop and a standard Debian Server Setup without systemd!

Howto purge Systemd on a Debian System read this external Wiki:

http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installation

or try Devuan for Server and Desktop:

https://devuan.org/

Remark: Devuan is tested for Desktop usage cause customized scripts and packages like polkit for EASY setup!

Debian: Auto Update System Daily without special Tools

If you want to have a full automatic Update on your System then open a Gnome Terminal / Linux Console run (# Comments):

  • $sudo nano /root/update.sh
  • enter:

#/!bin/bash
apt-get update #pull updates
apt-get dist-upgrade -y  # install updates
apt-get clean #clean update database for next pull to have clean source urls
exit 0

  • save with CTRL+X # save+Exit
  • $sudo chmod 755 /root/update.sh # make able to run
  • Setup Timeplan:
  • $sudo su –  # change to root users console with environment
  • $crontab -e  # open root timer
  • enter:

@daily sh /root/update.sh > /dev/null 2>&1

save with CTRL+X and be happy the System pulls daily on midnight if online..

Debian Ubuntu: Delete Packages which are marked as „rc“

Problem: If you up/downgrade a Debian most of unneeded files are always on your disk

Solution:
To check:

$sudo dpkg -l | more

To cleanup:
dpkg --list |grep "^rc" | cut -d " " -f 3 | xargs sudo dpkg --purge

If you like run the command twice cause sometimes deps are new taken
or install deporphan to:
$sudo deborphan | xargs sudo apt-get -y remove --purge

If you like run the command twice cause sometimes deps are new taken

Debian Ubuntu Update Script with Switch OFF after update

Problem:
I f you work on you PC daily Patches must be checked and installed.
At Debian / Ubuntu the Gnome-Update-Manager does this. But there is
NO Shutdown possible after update.

Solution:
– create Script #sudo nano /root/upgrade-off.sh
add inside:

apt-get update           //for update Patches Database PC
apt-get dist-upgrade -y         //install Patches automatic
apt-get clean      //cleanup PC
/sbin/init 0      //shutdown PC automatic or reboot Server = init 6
exit

You can now after work set it to crontab or start manual by #sudo sh /root/upgrade-off.sh

On Servers name it upgrade-reboot.sh and set root cron to run the job @hourly/@daily