Memory object storage systems such as Memcached can optimize the performance of the backup database by temporarily storing information in memory and preserving frequently requested records. This will reduce the number of direct requests to your databases. We’ll look at how to add authentication to secure Memcached using Simple Authentication and Security Layer (SASL), as well as how to connect Memcached to a local or private network interface to make sure only on networks trusted by users. After reading this post, you will fully learn How To Install and Secure Memcached on Ubuntu 22.04. Therefore, we suggest you stay with us until the end of this article.
What is Memcached?
Memcached is a very powerful and free cache system that has been released as open source. Memcached is software for performing cache operations on Dynamic website servers that will make better and more efficient use of resources. Typically, it is using as a cache system to speed up applications by storing various objects from the results of database conversations.
This system is typically using to speed up websites that use the database, using data storage and objects in main memory (RAM) to reduce the number of times the data is read from an external data source (for example, the database). In the continuation of this article, you will learn about Install and Secure Memcached on Ubuntu 22.04
Prerequisites
A Linux VPS Ubuntu 22.04 server
– Non-root sudo user
– firewall enabled.
Install and Secure Memcached on Ubuntu 22.04
In this section, we are going to teach you step-by-step how to Install and Secure Memcached on Ubuntu 22.04. If you do not have Memcached installed on your server, install it from the official Ubuntu repositories. First, make sure your local package list is updated using the following command:
sudo apt update
Install the official package of memcached as follows:
sudo apt install memcached
You can install libmemcached-tools, which contain various tools that you can use to check, test, and manage your Memcached server. Add the package to the server using the following command:
sudo apt install libmemcached-tools
Memcached is installed as a service on your server, with tools that allow you to test its connectivity. To launch Memcached, run the systemctl command:
sudo systemctl start memcached
You can now go to secure the configuration settings.
How to Configure Memcached Network Settings
If the Memcached server only needs to support local IPv4 connections using TCP, you can skip this step and go to the next step. But if you want to configure Memcached to use UDP sockets, Unix domain sockets, or add support for IPv6 connections, follow the steps in this section.
First, make sure your Memcached instance listens to the local IPv4 127.0.0.1 Loopback interface. The current version of Memcached, which ships with Ubuntu and Debian, has its -l configuration parameter configured on the local interface to receive only connections from the server where Memcached runs.
Use the following command to verify that Memcached is currently connected to the local IPv4 127.0.0.1 interface and is listening for TCP connections:
sudo ss -plunt
The flags will alter ss output in the following ways:
-p adds the name of the process that is using a socket
-l limits the output to listening sockets only, as opposed to also including connected sockets to other systems
-u includes UDP-based sockets in the output
-n displays numeric values in the output instead of human-readable names and values
-t includes TCP-based sockets in the output
You should receive the output as follows:
This output verifies that Memcached is connected to the IPv4 Loopback address 127.0.0.1 using the TCP protocol. Now that it has been verified that Memcached is configured to support IPv4 with TCP connections only, you can edit /etc/memcached.conf to support UDP connections, Unix domain sockets, or IPv6.
How to Configuration IPv6 to Memcached
To enable IPv6 connections to Memcached, open the configuration file with Nano or other editors:
sudo nano /etc/memcached.conf
First, find the following command in the file:
. . . -l 127.0.0.1
This line is where Memcached is configuring to listen to the local IPv4 interface. To add IPv6 support, add the IPv6 local loop address command (:: 1) as follows:
. . . -l 127.0.0.1 -l ::1
Save and close the file by pressing CTRL+O, then ENTER to save, and then CTRL+X to exit Nano. Also, restart Memcached using the systemctl command:
sudo systemctl restart memcached
You can now check that Memcached also responds to IPv6 connections by repeating the ss command in the previous section:
sudo ss -plunt
You should receive the output as follows:
Output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
. . .
tcp LISTEN 0 1024 127.0.0.1:11211 0.0.0.0:* users:(("memcached",pid=8889,fd=26))
. . .
tcp LISTEN 0 1024 [::1]:11211 [::]:* users:(("memcached",pid=8889,fd=27))
Output segments show that Memcached is now responding to TCP connections in the local IPv6 interface. If you want to disable IPv4 support and only listen to IPv6 connections, you can remove the -l 127.0.0.1 command from /etc/memcached.conf and restart the service using the systemctl command.
How to Configure UDP on Memcached
If you want to use Memcached with UDP sockets, enable UDP support by editing the configuration file and opening /etc/memcached.conf using the nano or custom editor, then add the following command to the bottom of the file do:
. . . -U 11211
If you do not need TCP support, find the -p 11211 command and change it to -p 0 to disable TCP connections. After editing the file, save and close it by entering CTRL+O to save and then CTRL+X to exit.
Restart the Memcached service with the systemctl command to apply the changes:
sudo systemctl restart memcached
Memcached listens to UDP connections using the following command:
sudo ss -plunt
If you have disabled TCP support and enabled IPv6 connections, you should get the following output:
[secondary_label Output]
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
. . .
udp UNCONN 0 0 127.0.0.1:11211 0.0.0.0:* users:(("memcached",pid=8889,fd=28))
udp UNCONN 0 0 [::1]:11211 [::]:* users:(("memcached",pid=8889,fd=29))
. . .
Note that if you only enable IPv4 connections and enable TCP connections, your output may be different.
How to Configure Unix Domain Sockets
If you want to use Memcached with Unix domain sockets, you can enable support by editing the configuration file. Note that if you configure Memcached to use the Unix domain socket, Memcached disables TCP and UDP support, so before enabling socket support, make sure your applications do not need to connect using those protocols. Open /etc/memcached.conf using Nano or other editors, then add the following commands to the bottom of the file:
. . . -s /var/run/memcached/memcached.sock -a 660
The -a flag specifies the permissions in the socket file. Make sure the user to connect to Memcached is part of the Memcache group on your server, otherwise, a permission message will reject when you try to access the socket. Then, restart the Memcached service with the following command to apply the changes:
sudo systemctl restart memcached
Make sure Memcached listens to Unix domain socket connections using the following command:
sudo ss -lnx | grep memcached
The -x flag restricts the ss output to display socket files. You should receive the outputs as follows:
Output u_str LISTEN 0 1024 /var/run/memcached/memcached.sock 20234658 * 0
Now that you have configured the Memcached network settings, go to the next step, adding SASL for authentication to Memcached.
How to Add Authorized Users to Memcached
To add authentication users to the Memcached service, use Simple Authentication and Security Layer (SASL), which separates authentication procedures from application protocols. First, add SASL support to the server and configure the user with authentication. Also, enable SASL in the Memcached configuration file and verify that everything is working properly.
Adding a Verified User
To start adding SASL support, you must install the sasl2-bin package, which includes management programs for the SASL user database. This tool helps you create an authenticated user. To install this tool, run the following command:
sudo apt install sasl2-bin
Create a directory and file that Memcached checks the SASL configuration settings using the mkdir command:
sudo mkdir -p /etc/sasl2
Now create the SASL configuration file using nano or the editor:
sudo nano /etc/sasl2/memcached.conf
Add the following command:
log_level: 5 mech_list: plain sasldb_path: /etc/sasl2/memcached-sasldb2
In addition to setting the report level, mech_list is set to plain, which indicates to Memcached that it must use its password file and confirm the plain text password. The last command you added specifies the path to the user database file that you will create in the next step. Save and close the file when done.
Now create a valid SASL database and use the saslpasswd2 command with the -c flag to create a new user entry in the SASL database. The user here will be Linda, but you can replace this name with your own. The -f flag specifies the path to the database. This is the path you set in /etc/sasl2/memcached.conf:
sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 linda
Give the SASL database ownership to the user and memcache group with the following chown command:
sudo chown memcache:memcache /etc/sasl2/memcached-sasldb2
You now have a SASL configuration that Memcached uses for authentication. Next, verify that Memcached is running with its default settings, then reconfigure it and verify that it works with SASL authentication.
How to Configure SASL Support of the Memcached
First test the connection of the Memcached instance with the memcstat command. This check helps determine if Memcached is running and properly configured before activating SASL and authenticating the user. After making changes to the configuration files, run the command again to check for different outputs. To verify that Memcached is enabled and running using the memcstat command, type the following:
memcstat --servers="127.0.0.1"
If you are using IPv6, replace :: 1 with IPv4 127.0.0.1. If you are using a Unix domain socket, use the socket path instead of the IP address, for example –servers =/var/run/memcached/memached.sock. When you run the memcstat command and successfully connect to Memcached, you should get the following output:
Output Server: 127.0.0.1 (11211) pid: 2299875 uptime: 2020 time: 1632404590 version: 1.5.22 . . .
Tip: If you are using Memcached with UDP support, the memcstat command cannot connect to the UDP port. Use the following netcat command to confirm the connection:
nc -u 127.0.0.1 11211 -vz
If Memcached responds, you should get the output as follows:
Output Connection to 127.0.0.1 11211 port [udp/*] succeeded!
If you are using Memcached with IPv6 and UDP, the command should look like this:
nc -6 -u ::1 11211 -vz
Enable SASL now. Add the -S parameter to the configuration file. Reopen the file with Nano:
sudo nano /etc/memcached.conf
In the file, add the following command:
. . . -S
Next, find and ignore the -vv option, which provides full output to /var/log/memcached. The command without comment should be as follows:
. . . -vv
Save and close the file. Restart the Memcached service using the systemctl command below:
sudo systemctl restart memcached
Check the journalctl report for Memcached to make sure SASL support is enabled:
sudo journalctl -u memcached |grep SASL
You should receive the output command as follows to indicate that SASL support is enabled:
Output Sep 23 17:00:55 memcached systemd-memcached-wrapper[2303930]: Initialized SASL.
Now try connecting to Memcached again. Despite SASL support and initialization, the following memcstat command must fail without valid authentication:
memcstat --servers="127.0.0.1"
The command should not generate output. Enter the following shell command to check the status as follows:
echo $?
$? Always returns the exit code of the last command that came out. Anything other than 0 indicates process failure. In this case, you should get exit status 1, which indicates the failure of the memcstat command. Re-running memcstat, with the username and password, verifies that the authentication process works.
If you use different credentials, replace the following command with the values linda and your_password:
memcstat --servers="127.0.0.1" --username=linda --password=your_password
You should receive the output as follows:
Output Server: 127.0.0.1 (11211) pid: 3831 uptime: 9 time: 1520028517 version: 1.4.25 . . .
Memcached is now configuring and executing with SASL support and user authentication.
Allowing Access Over the Private Network (Optional)
Memcached is configuring to listen only to the local loopback interface (127.0.0.1), which protects the Memcached interface from being exposed to outside parties. There may be times when you need permission to access from other servers. You can configure it to connect Memcached to a private network interface.
How to Restrict IP Access with a Firewall
Before configuring settings, set firewall rules to restrict machines that can connect to your Memcached server. You must first record the private IP address of each device you used to connect to Memcached. Once you have a private IP address, add the explicit firewall rule to allow the device to access Memcached. If you are using a UFW firewall, restrict access to the Memcached instance by entering the following commands in the Memcached server:
sudo ufw allow from client_system_private_IP/32 to any port 11211
If more than one system has access to Memcached over a private network, be sure to add the ufw rules for each device using the above rule as a template. Make changes to the Memcached service to connect to the server’s private network interface.
Memcached Connection to Private Network Interface
Now that your firewall is in place, configure Memcached to connect to the server’s private network interface instead of 127.0.0.1. Find the Memcached server’s private network interface using the IP command below.
ip -brief address show
Depending on the server network configuration, the output may differ.
Once you find the IP address or private addresses of the server, reopen the configuration file using Nano:
sudo nano /etc/memcached.conf
Find the -l 127.0.0.1 command that you previously checked or modified, and change the address to match the server’s private network interface:
. . . -l memcached_servers_private_IP . . .
If you want Memcached to listen to multiple addresses, add another similar instruction for each address, either IPv4 or IPv6 using the -l memcached_servers_private_IP format. Save and close the file after completing the steps. Then restart the Memcached service:
sudo systemctl restart memcached
Check the new settings with ss to confirm the change:
sudo ss -plunt
Test your external customer connection to make sure you can still access the service. Also, check the access of an unauthorized client (try connecting without a username and password) to make sure your SASL authentication works properly. Also, try connecting to Memcached from another server that is not allowed to connect to make sure the firewall rules created are effective.
Conclusion
In this tutorial, you learned How To Install and Secure Memcached on Ubuntu 22.04. Also configure Memcached with IPv4, IPv6, TCP, UDP, and Unix domain sockets and how to secure your Memcached server by enabling SASL authentication. Finally, you learned how to connect Memcached to your local or private network interface and configure firewall rules to restrict access to Memcached. We hope you find this article useful. Share your comments with us via the form below.
Share this Post
Tutorial Install and Secure phpMyAdmin on Fedora
Linda Evanty