Controlling memcached access with ufw

Simon Males sime at sime.net.au
Wed Aug 24 21:28:25 UTC 2011 

On Thu, Aug 25, 2011 at 2:04 AM, Clint Byrum <clint at ubuntu.com> wrote:
> Excerpts from Simon Males's message of Wed Aug 24 06:53:29 -0700 2011:
>> (read: 'Securing' memcached)
>>
>> I hope to cluster memcached. The network is untrusted and I must
>> restrict the allowed clients. So this is my first attempt at
>> firewalling.
>>
>> I've switched the ufw's DEFAULT_INPUT_POLICY to ACCEPT as there is no
>> current firewall. Next I added two clients which have explicit access
>> to port 11212 followed by a catch all DENY to 11212.
>>
>> # ufw status verbose
>> Status: active
>> Logging: on (low)
>> Default: allow (incoming), allow (outgoing)
>> New profiles: skip
>>
>> To                         Action      From
>> --                         ------      ----
>> 11212                      ALLOW IN    192.168.1.102
>> 11212                      ALLOW IN    192.168.1.103
>> 11212                      DENY IN     Anywhere
>> 11212                      DENY IN     Anywhere (v6)
>>
>> Does this sound like a decent attempt at locking down memcached?
>>
>> Additionally with the above rules, could I create an application
>> profile? Ideally there will be multiple memcached servers, and I would
>> like to version control the profile.
>>
>
> This should indeed limit access to memcached to those two IP's. You
> don't say whether its UDP or TCP ports (memcached uses either).

I did notice that memcached uses either, and I thought that by not
specifying a protocol it would filter both?

> If its really untrusted, you might also look at using memcached's built
> in SASL support to require the clients to authenticate.
>
> http://code.google.com/p/memcached/wiki/SASLHowto

I'm aware of SASL it's just it's not compiled in by default. Custom
compiling is a last resort (I don't know how to manage/maintain it).

> An even simpler way to go is to just setup a VPN so that you are not
> subject to the dangers of an untrusted network. Even with SASL and
> firewalling, somebody can man-in-the-middle those "trusted" IPs and use
> your memcached all they want.

I was originally going to post a question about Ubuntu to Ubuntu VPNs.
Though setting up a few firewall rules with ufw seems simpler.

Additionally I'm not a networking guy and setting up new IPs and the
like is a little daunting to me. Same goes again: I don't know how to
managed that.

A VPN is the ultimate solution, so I'm happy to be pointed in the
direction of server to server VPNs.

Cheers.

-- 
Simon Males

More information about the ubuntu-server mailing list