An open Memcache service can be abused as a reflector in a Distributed Denial-of-Service (DDoS) attack.
In this article we'll show you how to restrict access to the Memcache service on your VPS, or close the Memcache port.
Use sudo, or a root-user, when following the steps in this guide.
Restrict access to the Memcache service
You can configure the Memcache service so only your own VPS can make use of it.
Step 1
Connect to your VPS using SSH, or the VPS console and use the following command:
nano /etc/memcached.conf
Step 2
Scroll down in the file and look for the code below:
-l 123.123.123.123
Instead of 123.123.123.123 you will see your configured IP-address. Change this to the value below, or add the value below if the above doesn't exist yet:
-l 127.0.0.1
Restrict Memcache access to specific IP's
In stead of restricting access to only your VPS, there are two alternatives you can use to allow another VPS to access the Memcache service on your VPS:
- You can use a private network and add the corresponding VPS'es. You should still close UDP port 11211 on your public network interface when taking this option.
- Close the Memcache poort (UDP 11211) in your firewall and only allow specific IP-adresses access. The instructions for FirewallD, UFW and IPTables are as follows:
FirewallD
Step 1
Close UDP poort 11211 using:
firewall-cmd --zone=public --remove-port=11211/udp
Step 2
Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.
sudo firewall-cmd --permanent --zone=public --add-rich-rule='
rule family="ïpv4"
Replace 123.123.123.123 by your IP-address and repeat the steps process to allow more IP's access.
Step 3
Reload your firewall to process the configuration changes:
sudo firewall-cmd --reload
UFW
Step 1
Close UDP poort 11211 using:
ufw deny 11211/udp
Step 2
Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.
ufw allow from 123.123.123.123 to any port 11211 proto udp
Replace 123.123.123.123 by your IP-address and repeat the steps process to allow more IP's access.
IPTables
Step 1
Close UDP poort 11211 using:
íptables -A INPUT -p udp --dport 11211 -j DROP
Step 2
Using the commands below you create an exception for your own IP address, so that only you can connect to port 11211.
iptables -I INPUT -p udp -s 123.123.123.123 --dport 11211 -j ACCEPT
Replace 123.123.123.123 by your IP-address and repeat the steps process to allow more IP's access.
Step 3
Restart your firewall:
iptables-save | sudo tee /etc/sysconfig/iptables
service iptables restart
Your VPS is now secured against abuse of the Memcache service. Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.