Cart

    Sorry, we could not find any results for your search querry.

    How do I protect my Memcache service against abuse?

    An open Memcache service can be abused as a reflector in a Distributed Denial-of-Service (DDoS) attack.

    In this article we'll show you how to restrict access to the Memcache service on your VPS, or close the Memcache port.

    Use sudo, or a root-user, when following the steps in this guide.


    Restrict access to the Memcache service

    You can configure the Memcache service so only your own VPS can make use of it.

     

    Step 1

    Connect to your VPS using SSH, or the VPS console and use the following command:

    nano /etc/memcached.conf

     

    Step 2

    Scroll down in the file and look for the code below:

    -l 123.123.123.123
        

    Instead of 123.123.123.123 you will see your configured IP-address. Change this to the value below, or add the value below if the above doesn't exist yet:

    -l 127.0.0.1

    Restrict Memcache access to specific IP's

    In stead of restricting access to only your VPS, there are two alternatives you can use to allow another VPS to access the Memcache service on your VPS:

    • You can use a private network and add the corresponding VPS'es. You should still close UDP port 11211 on your public network interface when taking this option.
    • Close the Memcache poort (UDP 11211) in your firewall and only allow specific IP-adresses access. The instructions for FirewallD, UFW and IPTables are as follows:

    FirewallD

    Step 1

    Close UDP poort 11211 using:

    firewall-cmd --zone=public --remove-port=11211/udp

     

    Step 2

    Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.

    sudo firewall-cmd --permanent --zone=public --add-rich-rule='
        rule family="ïpv4"

    Replace 123.123.123.123 by your IP-address and repeat the steps process to allow more IP's access.


     

    Step 3

    Reload your firewall to process the configuration changes:

    sudo firewall-cmd --reload

    UFW

    Step 1

    Close UDP poort 11211 using:

    ufw deny 11211/udp

     

    Step 2

    Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.

    ufw allow from 123.123.123.123 to any port 11211 proto udp

    Replace 123.123.123.123 by your IP-address and repeat the steps process to allow more IP's access.


    IPTables

    Step 1

    Close UDP poort 11211 using:

    íptables -A INPUT -p udp --dport 11211 -j DROP

     

    Step 2

    Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.

    iptables -I INPUT -p udp -s 123.123.123.123 --dport 11211 -j ACCEPT

    Replace 123.123.123.123 by your IP-address and repeat the steps process to allow more IP's access.


     

    Step 3

    Restart your firewall:

    iptables-save | sudo tee /etc/sysconfig/iptables
        service iptables restart

     

    Your VPS is now secured against abuse of the Memcache service. Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

    Need help?

    Receive personal support from our supporters

    Contact us