Introduction
Systems that allow caching of memory objects can improve the performance of back-end databases in a number of ways, such as temporarily saving information in memory and retaining the most requested or recently requested lines( records ).
In this way, the number of database queries can be reduced, and consequently, the speed of your web applications increased.
In this tutorial, you will learn how to install Memcached on your Ubuntu 20.04 server and secure it and configure it to connect to your local or private network interface and enable SASL authentication.
First, connect to your server via an SSH connection. If you haven't done so yet, following our guide is recommended to connect securely with the SSH protocol. In case of a local server, go to the next step and open the terminal of your server.
Installing Memcached from the Official Repository
If Memcached isn’t already installed on your server, install it from the official Ubuntu repositories.
First of all, make sure your local package index has updated, via the command:
$ sudo apt update
Secondly, install the official package via the command:
$ sudo apt install memcached
Installing a library of tools to better work with your Memcached server is also advisable. Simply enter the command:
$ sudo apt install libmemcached-tools
Now that memcached and the various tools to help you test server connectivity have been installed, the next step is to create a secure configuration.
Securing the Memcaching configuration
To ensure protection from DoS attacks, verify that your Memcached instance is listening on the local 127.0.0.1 interface. By default, the parameter set on the local interface should be -1.
To check the parameter, open the Memcached configuration file contained in the path /etc/memcached.conf. From the terminal, do so by using the command:
$ sudo nano /etc/memcached.conf
Here you are now in the configuration file /etc/memcached.conf .
Within the file, navigate to the interface configuration part, locating this line:
-l 127.0.0.1
If the line appears as shown above, the default configuration will be set and no further changes will be needed.
In case you need to change this setting to make it more "open", disabling the UDP protocol, as it is more vulnerable to DoS attacks than TCP, is recommended.
To disable only the UDP protocol, just add the following line to the end of the configuration file:
-U 0
To apply the settings changes, follow thesteps:
To verify that the changes have been successfully applied, check that Memcached is bound to the local interface and is only receiving TCP connections.
To do so, type the command:
$ sudo netstat -plunt
Allowing access on a private network
In the previous steps you configured Memcached on a local interface (127.0.0.1), securing the interface from external DoS attacks.
But what if you need to connect with external servers?
In this case, it will be necessary to put Memcached, modifying its configuration, listening on a private network.
Restricting IPs with Firewalls
Before adjusting the configuration settings, setting up rules in your firewall to limit connections to your Memcached server is advisable.
You will first need to know the private IP address of the client's server in order to configure your rules in the firewall.
In this case, the UFW firewall will be used. If the UFW Firewall is not installed on your server, follow our guide on How to Install and Configure UFW Firewall on Ubuntu 18.04.
To limit access to your Memcached instance, enter:
$ sudo ufw allow from client_server_IP_privato/32 to any port 11211
Once this change has been made, Memcached service is ready to be forced on your private network interface.
Binding Memcached to the private network interface
Now that the firewall has been configured, fix Memcached's configuration to listen on your private network interface, rather than the local interface.
First of all, open the Memcached configuration file, as seen previously, using the command:
$ sudo nano /etc/memcached.conf
Look inside the file for the following line, which were checked in the previous steps:
-1 127.0.0.1
And change the address by entering the one corresponding to your server's private network interface:
-1 memcached_IP_privato_server
To apply the changes, save and close the configuration file.
Then restart the Memcached service via the command:
$ sudo systemctl restart memcached
Finally, check the new settings with netstat :
$ sudo netstat -plunt
Verify, for added security, that you can connect through your authorized external client and that, by connecting with an unauthorized client instead, you are blocked by the firewall.
At this point you will have successfully secured your Memcached server, configuring it to connect to your local or private network interface and enabling SASL authentication.