Install and Secure Memcached on Debian 11 and Ubuntu 22.04
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Memcached is an in-memory key-value store for small chunks of arbitrary data. Memcached is often used to enhance web application performance and scalability by temporarily caching frequently accessed data and reducing direct requests to databases.
This guide walks through the installation steps for Memcached on Debian 11 and Ubuntu 22.04 LTS systems. Additionally, it goes over multiple solutions for securing your Memcached installation, including SASL authentication and adding firewall rules with UFW.
Before You Begin
If you do not already have a virtual machine to use, create a Compute Instance with at least 4 GB of memory. See our Getting Started with Linode and Creating a Compute Instance guides.
Follow our Setting Up and Securing a Compute Instance guide to update your system. You may also wish to set the timezone, configure your hostname, create a limited user account, and harden SSH access.
Follow our How to Configure a Firewall with UFW guide to install UFW, allow SSH access, and enable the firewall.
sudo
. If you’re not familiar with the sudo
command, see the
Users and Groups guide.Install Memcached
Memcached is available from the official Debian and Ubuntu repositories.
First, install Memcached:
sudo apt install memcached
Next, install
libmemcached-tools
, a library that provides several tools for interacting with Memcached servers:sudo apt install libmemcached-tools
Verify that Memcached is installed and running:
sudo systemctl status memcached
The expected output should resemble:
● memcached.service - memcached daemon Loaded: loaded (/lib/systemd/system/memcached.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2024-06-06 11:29:42 EDT; 18s ago
Press the Q to exit the status output and return to the terminal prompt.
Make sure that Memcached is listening on the default address:
sudo ss -plunt | grep memcached
By default, there should only be one IPv4 localhost (
127.0.0.1
) entry for Memcached:tcp LISTEN 0 1024 127.0.0.1:11211 0.0.0.0:* users:(("memcached",pid=1789,fd=26))
Use the
memcstat
tool to check the status of Memcached on127.0.0.1
:memcstat --servers="127.0.0.1"
Server: 127.0.0.1 (11211) pid: 1789 uptime: 420 time: 1717688200 version: 1.6.9 ...
Securing the Installation
The following sections cover various solutions for securing a Memcached installation. These steps are not strictly necessary when Memcached listens locally. However, if Memcached is exposed over a network, all of these sections should be completed to protect it from unauthorized access and other potential security threats.
Open External Access and Disable UDP
Using a text editor, open the
/etc/memcached.conf
file:sudo nano /etc/memcached.conf
The default Memcached network address on Debian and Ubuntu is the local address (
127.0.0.1
). To open Memcached over the network, add your Compute Instances’s external IP address. Disabling UDP using-U 0
in the configuration is also recommended when opening Memcached access.Save your changes once you are done editing the configuration file.
- File: /etc/memcached.conf
31 32 33 34 35 36 37 38 39 40 41 42 43
... # Specify which IP address to listen on. The default is to listen on all IP addresses # This parameter is one of the only security measures that memcached has, so make sure # it's listening on a firewalled interface. -l 127.0.0.1 -l IP_ADDRESS # Disable UDP -U 0 # Limit the number of simultaneous incoming connections. The daemon default is 10> # -c 1024 ...
Restart Memcached to apply the changes:
sudo systemctl restart memcached
Verify the network changes with the
ss
andgrep
commands from before:sudo ss -plunt | grep memcached
There should now be a second Memcached entry for your compute instance’s external IP address:
tcp LISTEN 0 1024 IP_ADDRESS:11211 0.0.0.0:* users:(("memcached",pid=2477,fd=27)) tcp LISTEN 0 1024 127.0.0.1:11211 0.0.0.0:* users:(("memcached",pid=2477,fd=26))
Use the
memcstat
tool to check the status of Memcached on your Compute Instance’s external IP address. Replace IP_ADDRESS with your instance’s IP:memcstat --servers="IP_ADDRESS"
Server: IP_ADDRESS (11211) pid: 2477 uptime: 203 time: 1717688684 version: 1.6.9 ...
Add Firewall Rules
The below steps use ufw
to manage firewall rules.
Add a single firewall rule to allow limited access to port
11211
from a remote machine. Replace CLIENT_IP_ADDRESS with the IP address of the remote machine you want to access the Memcached server from:sudo ufw allow proto tcp from CLIENT_IP_ADDRESS to any port 11211
Rule added
Verify that the rule has been added to UFW:
sudo ufw status
Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 11211/tcp ALLOW CLIENT_IP_ADDRESS 22/tcp (v6) ALLOW Anywhere (v6)
From the remote client machine, run
memcstat
again on your Compute Instance’s external IP_ADDRESS to confirm a connection:memcstat --servers="IP_ADDRESS"
Server: 172.233.162.226 (11211) pid: 2477 uptime: 1102 time: 1717689583 version: 1.6.9
Note The remote client machine must also have Memcached andlibmemcached-tools
installed.
Install and Configure SASL
Memcached doesn’t provide internal authentication procedures. However, Simple Authentication and Security Layer (SASL) can be used to provide authentication to Memcached. SASL is a framework that de-couples authentication procedures from application protocols.
First, install SASL:
sudo apt install sasl2-bin
Next, create the directory that the Memcached uses for SASL configuration:
sudo mkdir -p /etc/sasl2
Now create a
memcached.conf
SASL configuration file in that directory:sudo nano /etc/sasl2/memcached.conf
Add the following content to the SASL configuration file, and save your changes:
- File: /etc/sasl2/memcached.conf
1 2 3
mech_list: plain log_level: 5 sasldb_path: /etc/sasl2/memcached-sasldb2
Add Authorized Users
Create a SASL database and user. Replace SASL_USERNAME with a username of your choice:
sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 SASL_USERNAME
Enter a password of your choosing, and verify that password:
Password: Again (for verification):
Give Memcached ownership of the database:
sudo chown memcache:memcache /etc/sasl2/memcached-sasldb2
Enable SASL
With a text editor, open the
/etc/memcached.conf
file:sudo nano /etc/memcached.conf
Enable SASL by adding the
-S
parameter to/etc/memcached.conf
, and save your changes:- File: /etc/memcached.conf
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
... # Specify which IP address to listen on. The default is to listen on all IP addresses # This parameter is one of the only security measures that memcached has, so make sure # it's listening on a firewalled interface. -l 127.0.0.1 -l IP_ADDRESS # Disable UDP -U 0 # Enable SASL authenication -S # Limit the number of simultaneous incoming connections. The daemon default is 10> # -c 1024 ...
Restart Memcached to apply the changes:
sudo systemctl restart memcached
Check the Memcached status locally once again. Replace SASL_USERNAME and SASL_PASSWORD with your chosen username and password:
sudo memcstat --servers="127.0.0.1" --username="SASL_USERNAME" --password="SASL_PASSWORD"
The output should look similar to this:
Server: 127.0.0.1 (11211) pid: 2956 uptime: 198 time: 1717690598 version: 1.6.9 ...
Repeat the process from the remote machine, using your Compute Instance’s external IP address instead of
127.0.0.1
:sudo memcstat --servers="IP_ADDRESS" --username="SASL_USERNAME" --password="SASL_PASSWORD"
The output should be the same as above:
Server: 172.233.162.226 (11211) pid: 2956 uptime: 271 time: 1717690671 version: 1.6.9 ...
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on