Memcached is an in-memory database service that speeds up web applications by caching static content and the results of database requests. To reduce database load, Memcached works simply as a key-value memory database that can be used for nonpersistent storage. However, Memcached does not have internal key security in its default configuration and is not protected by authentication. If a server accesses it, anyone can access the data stored in Memcached. Therefore, it is necessary to take critical measures to protect the Memcached server.

Bind a local or private network interface. To protect your Memcached server from networking tools, set Memcached to listen only on the local interface 127.0.0.1. You can ensure that only local processes can access the Memcached service. On CentOS 7, you can modify the OPTIONS variable in the /etc/sysconfig/memcached file to:

OPTIONS="-l 127.0.0.1 -U 0 -S-vv"

You can implement Memcached to listen only to local interfaces and disable UDP listeners.

Use a firewall to restrict access to the Memcached port. In CentOS, you can run the firewall-cmd command to set firewall rules. Only the specified IP address can access the Memcached service:

sudo firewall-cmd --permanent --new-zone=memcachedsudo firewall-cmd --permanent --zone=memcached  --add-port=11211/tcpsudo firewall-cmd --permanent --zone=memcached --add-source=client_server_private_IPsudo  firewall-cmd --reload

This allows only connections from specific IP addresses to access the Memcached service.

Secure the Memcached service by enabling SASL authentication. Memcached supports user authentication through SASL. First, you need to in the/etc/sasl2 / memcached SASL conf file configuration, and create the SASL database:

sasldb_path: /etc/sasl2/memcached-sasldb2

Run the saslpasswd2 command to create a user:

sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 username

Modify the Memcached configuration file to enable SASL support and restart the Memcached service:

sudo chown memcached:memcached /etc/sasl2/memcached-sasldb2sudo systemctl restart memcached`$

In this way, the Memcached service will require the client to provide a valid user name and password to connect.

Take encrypted transmission. Memcached itself does not support encrypted transfers, but you can use SSL/TLS to encrypt connections between clients and servers. For example, use stunnel to provide SSL/TLS support for Memcached:

accept = 127.0.0.1:11212

connect = 127.0.0.1:11211

cert = /etc/stunnel/stunnel.pem

key = /etc/stunnel/stunnel.pem

In this way, the data is encrypted during transmission, which improves security.

Memcached's SASL authentication is designed to add a layer of security to prevent unauthorized access. However, this authentication mechanism may also introduce some security risks such as performance loss, enabling SASL authentication will increase the performance overhead of Memcached, because every client connection requires authentication, which may affect Memcached's response speed and throughput. Under high load conditions, this performance loss may be more obvious; Configuration complexity. To enable SASL authentication, you need to correctly configure Memcached and the client, including compiling, configuring, and creating SASL users, and configuring clients to use SASL authentication. These steps add complexity to the system and, if improperly configured, can lead to security vulnerabilities; Security Bypass Vulnerability: A security vulnerability that allows a remote attacker to bypass SASL authentication and perform unauthorized operations. For example, there is a SASL authentication state security bypass vulnerability in the Memcached 1.x version that an attacker can exploit to bypass authentication.

Rely on external authentication services. Memcached's SASL authentication relies on external authentication services, such as saslauthd, which increases the system's dependency. Failure or misconfiguration of the authentication service may result in unavailability of the Memcached service or a security breach.

While SASL certification protects against unauthorized access, it does not provide data encryption. Therefore, if data is intercepted in transit, an attacker can still read sensitive information.

Client support issues. Not all Memcached clients support SASL authentication. If clients do not support SASL, they will not be able to connect to the Memcached server even if SASL authentication is enabled. To avoid these issues, it is recommended to deploy Memcach only on trusted networks, use firewalls to restrict access, audit and test regularly, use encrypted transmissions, and keep software updated.

Use monitoring and alarm. Monitoring tools such as Nagios, Zabbix, and Prometheus monitor the performance and security status of Memcached and set up alarm mechanisms to detect and resolve problems in a timely manner.

The above measures can effectively improve the security of Memcached, protecting data from unauthorized access and network attacks.