Assume server 1 is located at 5:5:5:5:11211, and server 2 is located at 25.25.25.25:11211. You add them to the server pool and everything is great. Until somebody connects to that port and starts messing with your data.
So we change the port to 38295. Harder to find, but not impossible, so it's still not enough.
My questions are:
1) Can you set authentication (username/password) for memcached servers to verify a connection? Can you whitelist specific hosts/IPs (probably a bad idea)?
2) Can you and should you secure data transferred over the internet? The data is in raw format, and your ISP and anyone sniffing the line could see all the data being sent. But encrypting data would probably affect performance?
What solutions are there for setting up a cluster of memcached servers and how do you secure and authenticate them?
The latest versions of memcached encryption supports SASL authentication. Although you've already firewalled your memcached services off, you can require clients to perform strong authentication before using the service.
To connect to Memcached from a different machine, you must open port 11211 for remote access. Refer to the FAQ for more information on this. IMPORTANT: Making this application's network ports public is a significant security risk. You are strongly advised to only allow access to those ports from trusted networks.
The solution that met my needs was to set up iptables entries as suggested by sumoanand. Here's what I got working.
Start memcached using something like this:
/usr/bin/memcached -p 11211 -l 0.0.0.0 -d -u www-data -m 12288
Keep in mind that the -l
parameter is set to 0.0.0.0
, which essentially allows connections from ANY source. If you keep the standard 127.0.0.1
this will not work.
Next, we make entries to the iptables. If your memcached server is on your LAN, the following command will allow connections only from specific local servers.
For instance, in order to add 192.168.1.100
to the allowed list, we issue the command:
iptables -A INPUT -p tcp -s 192.168.1.100 --dport 11211 -j ACCEPT
If you want to whitelist a remote server, for example, 25.62.25.62
then you issue another command:
iptables -A INPUT -p tcp -s 25.62.25.62 --dport 11211 -j ACCEPT
You can whitelist as many IPs as you want, but be sure to issue the final command that blocks all other connections on that port.
iptables -A INPUT -p tcp --dport 11211 -j REJECT
The IPtables are read in the order they are entered, so if you issue a REJECT ALL statement before issuing any ACCEPT rules, all connections will be rejected (even the whitelisted ones).
Data sent this way, however, is still not encrypted in any way. Anything intercepting your memcached server and the remote server (packet sniffers, ISPs) will be able to see the data completely raw.
I don't think we need to go for complex solution here as mention by Mike.
Assume your web servers(web1, web2, web3) need to get data from memcache servers(mem1 & mem2) via 11211 port located in the same internal network and internal ip addresses of each web server starts with 172.221...
In this case, you can put a restriction in the ip-table of mem1 & mem2 servers to ONLY accept the requests from 172.221.. for 11211 port.
Hope this will help.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With