Controlling memcached access with ufw
On Thu, Aug 25, 2011 at 2:04 AM, Clint Byrum <email@example.com> wrote:
> Excerpts from Simon Males's message of Wed Aug 24 06:53:29 -0700 2011:
>> (read: 'Securing' memcached)
>> I hope to cluster memcached. The network is untrusted and I must
>> restrict the allowed clients. So this is my first attempt at
>> I've switched the ufw's DEFAULT_INPUT_POLICY to ACCEPT as there is no
>> current firewall. Next I added two clients which have explicit access
>> to port 11212 followed by a catch all DENY to 11212.
>> # ufw status verbose
>> Status: active
>> Logging: on (low)
>> Default: allow (incoming), allow (outgoing)
>> New profiles: skip
>> To * * * * * * * * * * * * Action * * *From
>> -- * * * * * * * * * * * * ------ * * *----
>> 11212 * * * * * * * * * * *ALLOW IN * *192.168.1.102
>> 11212 * * * * * * * * * * *ALLOW IN * *192.168.1.103
>> 11212 * * * * * * * * * * *DENY IN * * Anywhere
>> 11212 * * * * * * * * * * *DENY IN * * Anywhere (v6)
>> Does this sound like a decent attempt at locking down memcached?
>> Additionally with the above rules, could I create an application
>> profile? Ideally there will be multiple memcached servers, and I would
>> like to version control the profile.
> This should indeed limit access to memcached to those two IP's. You
> don't say whether its UDP or TCP ports (memcached uses either).
I did notice that memcached uses either, and I thought that by not
specifying a protocol it would filter both?
> If its really untrusted, you might also look at using memcached's built
> in SASL support to require the clients to authenticate.
I'm aware of SASL it's just it's not compiled in by default. Custom
compiling is a last resort (I don't know how to manage/maintain it).
> An even simpler way to go is to just setup a VPN so that you are not
> subject to the dangers of an untrusted network. Even with SASL and
> firewalling, somebody can man-in-the-middle those "trusted" IPs and use
> your memcached all they want.
I was originally going to post a question about Ubuntu to Ubuntu VPNs.
Though setting up a few firewall rules with ufw seems simpler.
Additionally I'm not a networking guy and setting up new IPs and the
like is a little daunting to me. Same goes again: I don't know how to
A VPN is the ultimate solution, so I'm happy to be pointed in the
direction of server to server VPNs.
ubuntu-server mailing list
More info: https://wiki.ubuntu.com/ServerTeam