Controlling memcached access with ufw

Simon Males sime at
Wed Aug 24 21:28:25 UTC 2011

On Thu, Aug 25, 2011 at 2:04 AM, Clint Byrum <clint at> wrote:
> Excerpts from Simon Males's message of Wed Aug 24 06:53:29 -0700 2011:
>> (read: 'Securing' memcached)
>> I hope to cluster memcached. The network is untrusted and I must
>> restrict the allowed clients. So this is my first attempt at
>> firewalling.
>> I've switched the ufw's DEFAULT_INPUT_POLICY to ACCEPT as there is no
>> current firewall. Next I added two clients which have explicit access
>> to port 11212 followed by a catch all DENY to 11212.
>> # ufw status verbose
>> Status: active
>> Logging: on (low)
>> Default: allow (incoming), allow (outgoing)
>> New profiles: skip
>> To                         Action      From
>> --                         ------      ----
>> 11212                      ALLOW IN
>> 11212                      ALLOW IN
>> 11212                      DENY IN     Anywhere
>> 11212                      DENY IN     Anywhere (v6)
>> Does this sound like a decent attempt at locking down memcached?
>> Additionally with the above rules, could I create an application
>> profile? Ideally there will be multiple memcached servers, and I would
>> like to version control the profile.
> This should indeed limit access to memcached to those two IP's. You
> don't say whether its UDP or TCP ports (memcached uses either).

I did notice that memcached uses either, and I thought that by not
specifying a protocol it would filter both?

> If its really untrusted, you might also look at using memcached's built
> in SASL support to require the clients to authenticate.

I'm aware of SASL it's just it's not compiled in by default. Custom
compiling is a last resort (I don't know how to manage/maintain it).

> An even simpler way to go is to just setup a VPN so that you are not
> subject to the dangers of an untrusted network. Even with SASL and
> firewalling, somebody can man-in-the-middle those "trusted" IPs and use
> your memcached all they want.

I was originally going to post a question about Ubuntu to Ubuntu VPNs.
Though setting up a few firewall rules with ufw seems simpler.

Additionally I'm not a networking guy and setting up new IPs and the
like is a little daunting to me. Same goes again: I don't know how to
managed that.

A VPN is the ultimate solution, so I'm happy to be pointed in the
direction of server to server VPNs.


Simon Males

More information about the ubuntu-server mailing list