Controlling memcached access with ufw

Wed Aug 24 16:04:02 UTC 2011

Excerpts from Simon Males's message of Wed Aug 24 06:53:29 -0700 2011:
> (read: 'Securing' memcached)
> 
> I hope to cluster memcached. The network is untrusted and I must
> restrict the allowed clients. So this is my first attempt at
> firewalling.
> 
> I've switched the ufw's DEFAULT_INPUT_POLICY to ACCEPT as there is no
> current firewall. Next I added two clients which have explicit access
> to port 11212 followed by a catch all DENY to 11212.
> 
> # ufw status verbose
> Status: active
> Logging: on (low)
> Default: allow (incoming), allow (outgoing)
> New profiles: skip
> 
> To                         Action      From
> --                         ------      ----
> 11212                      ALLOW IN    192.168.1.102
> 11212                      ALLOW IN    192.168.1.103
> 11212                      DENY IN     Anywhere
> 11212                      DENY IN     Anywhere (v6)
> 
> Does this sound like a decent attempt at locking down memcached?
> 
> Additionally with the above rules, could I create an application
> profile? Ideally there will be multiple memcached servers, and I would
> like to version control the profile.
> 

This should indeed limit access to memcached to those two IP's. You
don't say whether its UDP or TCP ports (memcached uses either).

If its really untrusted, you might also look at using memcached's built
in SASL support to require the clients to authenticate.

http://code.google.com/p/memcached/wiki/SASLHowto

An even simpler way to go is to just setup a VPN so that you are not
subject to the dangers of an untrusted network. Even with SASL and
firewalling, somebody can man-in-the-middle those "trusted" IPs and use
your memcached all they want.