FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 08-24-2011, 04:04 PM
Clint Byrum
 
Default Controlling memcached access with ufw

Excerpts from Simon Males's message of Wed Aug 24 06:53:29 -0700 2011:
> (read: 'Securing' memcached)
>
> I hope to cluster memcached. The network is untrusted and I must
> restrict the allowed clients. So this is my first attempt at
> firewalling.
>
> I've switched the ufw's DEFAULT_INPUT_POLICY to ACCEPT as there is no
> current firewall. Next I added two clients which have explicit access
> to port 11212 followed by a catch all DENY to 11212.
>
> # ufw status verbose
> Status: active
> Logging: on (low)
> Default: allow (incoming), allow (outgoing)
> New profiles: skip
>
> To Action From
> -- ------ ----
> 11212 ALLOW IN 192.168.1.102
> 11212 ALLOW IN 192.168.1.103
> 11212 DENY IN Anywhere
> 11212 DENY IN Anywhere (v6)
>
> Does this sound like a decent attempt at locking down memcached?
>
> Additionally with the above rules, could I create an application
> profile? Ideally there will be multiple memcached servers, and I would
> like to version control the profile.
>

This should indeed limit access to memcached to those two IP's. You
don't say whether its UDP or TCP ports (memcached uses either).

If its really untrusted, you might also look at using memcached's built
in SASL support to require the clients to authenticate.

http://code.google.com/p/memcached/wiki/SASLHowto

An even simpler way to go is to just setup a VPN so that you are not
subject to the dangers of an untrusted network. Even with SASL and
firewalling, somebody can man-in-the-middle those "trusted" IPs and use
your memcached all they want.

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-24-2011, 09:28 PM
Simon Males
 
Default Controlling memcached access with ufw

On Thu, Aug 25, 2011 at 2:04 AM, Clint Byrum <clint@ubuntu.com> wrote:
> Excerpts from Simon Males's message of Wed Aug 24 06:53:29 -0700 2011:
>> (read: 'Securing' memcached)
>>
>> I hope to cluster memcached. The network is untrusted and I must
>> restrict the allowed clients. So this is my first attempt at
>> firewalling.
>>
>> I've switched the ufw's DEFAULT_INPUT_POLICY to ACCEPT as there is no
>> current firewall. Next I added two clients which have explicit access
>> to port 11212 followed by a catch all DENY to 11212.
>>
>> # ufw status verbose
>> Status: active
>> Logging: on (low)
>> Default: allow (incoming), allow (outgoing)
>> New profiles: skip
>>
>> To * * * * * * * * * * * * Action * * *From
>> -- * * * * * * * * * * * * ------ * * *----
>> 11212 * * * * * * * * * * *ALLOW IN * *192.168.1.102
>> 11212 * * * * * * * * * * *ALLOW IN * *192.168.1.103
>> 11212 * * * * * * * * * * *DENY IN * * Anywhere
>> 11212 * * * * * * * * * * *DENY IN * * Anywhere (v6)
>>
>> Does this sound like a decent attempt at locking down memcached?
>>
>> Additionally with the above rules, could I create an application
>> profile? Ideally there will be multiple memcached servers, and I would
>> like to version control the profile.
>>
>
> This should indeed limit access to memcached to those two IP's. You
> don't say whether its UDP or TCP ports (memcached uses either).

I did notice that memcached uses either, and I thought that by not
specifying a protocol it would filter both?

> If its really untrusted, you might also look at using memcached's built
> in SASL support to require the clients to authenticate.
>
> http://code.google.com/p/memcached/wiki/SASLHowto

I'm aware of SASL it's just it's not compiled in by default. Custom
compiling is a last resort (I don't know how to manage/maintain it).

> An even simpler way to go is to just setup a VPN so that you are not
> subject to the dangers of an untrusted network. Even with SASL and
> firewalling, somebody can man-in-the-middle those "trusted" IPs and use
> your memcached all they want.

I was originally going to post a question about Ubuntu to Ubuntu VPNs.
Though setting up a few firewall rules with ufw seems simpler.

Additionally I'm not a networking guy and setting up new IPs and the
like is a little daunting to me. Same goes again: I don't know how to
managed that.

A VPN is the ultimate solution, so I'm happy to be pointed in the
direction of server to server VPNs.

Cheers.

--
Simon Males

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 08:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org