Get 50% Discount Offer 7 Days


Contact Info

Chicago 12, Melborne City, USA

+88 01682648101

[email protected]

Recommended Services
Supported Scripts
How To Install and Secure Memcached on Ubuntu 22.04

Memory object storage systems such as Memcached can optimize the performance of the backup database by temporarily storing information in memory and preserving frequently requested records. This will reduce the number of direct requests to your databases. We’ll look at how to add authentication to secure Memcached using Simple Authentication and Security Layer (SASL), as well as how to connect Memcached to a local or private network interface to make sure only on networks trusted by users. After reading this post, you will fully learn How To Install and Secure Memcached on Ubuntu 22.04. Therefore, we suggest you stay with us until the end of this article.

What is Memcached?

Memcached is a very powerful and free cache system that has been released as open source. Memcached is software for performing cache operations on Dynamic website servers that will make better and more efficient use of resources. Typically, it is using as a cache system to speed up applications by storing various objects from the results of database conversations.

This system is typically using to speed up websites that use the database, using data storage and objects in main memory (RAM) to reduce the number of times the data is read from an external data source (for example, the database). In the continuation of this article, you will learn about Install and Secure Memcached on Ubuntu 22.04


A Linux VPS Ubuntu 22.04 server

– Non-root sudo user

– firewall enabled.

Install and Secure Memcached on Ubuntu 22.04

In this section, we are going to teach you step-by-step how to Install and Secure Memcached on Ubuntu 22.04. If you do not have Memcached installed on your server, install it from the official Ubuntu repositories. First, make sure your local package list is updated using the following command:

sudo apt update

Install the official package of memcached as follows:

sudo apt install memcached

You can install libmemcached-tools, which contain various tools that you can use to check, test, and manage your Memcached server. Add the package to the server using the following command:

sudo apt install libmemcached-tools

Memcached is installed as a service on your server, with tools that allow you to test its connectivity. To launch Memcached, run the systemctl command:

sudo systemctl start memcached

You can now go to secure the configuration settings.

How to Configure Memcached Network Settings

If the Memcached server only needs to support local IPv4 connections using TCP, you can skip this step and go to the next step. But if you want to configure Memcached to use UDP sockets, Unix domain sockets, or add support for IPv6 connections, follow the steps in this section.

First, make sure your Memcached instance listens to the local IPv4 Loopback interface. The current version of Memcached, which ships with Ubuntu and Debian, has its -l configuration parameter configured on the local interface to receive only connections from the server where Memcached runs.

Use the following command to verify that Memcached is currently connected to the local IPv4 interface and is listening for TCP connections:

sudo ss -plunt

The flags will alter ss output in the following ways:

-p adds the name of the process that is using a socket

-l limits the output to listening sockets only, as opposed to also including connected sockets to other systems

-u includes UDP-based sockets in the output

-n displays numeric values in the output instead of human-readable names and values

-t includes TCP-based sockets in the output

You should receive the output as follows:

This output verifies that Memcached is connected to the IPv4 Loopback address using the TCP protocol. Now that it has been verified that Memcached is configured to support IPv4 with TCP connections only, you can edit /etc/memcached.conf to support UDP connections, Unix domain sockets, or IPv6.

How to Configuration IPv6 to Memcached

To enable IPv6 connections to Memcached, open the configuration file with Nano or other editors:

sudo nano /etc/memcached.conf

First, find the following command in the file:

. . .

This line is where Memcached is configuring to listen to the local IPv4 interface. To add IPv6 support, add the IPv6 local loop address command (:: 1) as follows:

. . .
-l ::1

Save and close the file by pressing CTRL+O, then ENTER to save, and then CTRL+X to exit Nano. Also, restart Memcached using the systemctl command:

sudo systemctl restart memcached

You can now check that Memcached also responds to IPv6 connections by repeating the ss command in the previous section:

sudo ss -plunt

You should receive the output as follows:

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process 
. . .
tcp LISTEN 0 1024* users:(("memcached",pid=8889,fd=26)) 
. . .
tcp LISTEN 0 1024 [::1]:11211 [::]:* users:(("memcached",pid=8889,fd=27))

Output segments show that Memcached is now responding to TCP connections in the local IPv6 interface. If you want to disable IPv4 support and only listen to IPv6 connections, you can remove the -l command from /etc/memcached.conf and restart the service using the systemctl command.

How to Configure UDP on Memcached

If you want to use Memcached with UDP sockets, enable UDP support by editing the configuration file and opening /etc/memcached.conf using the nano or custom editor, then add the following command to the bottom of the file do:

. . .
-U 11211

If you do not need TCP support, find the -p 11211 command and change it to -p 0 to disable TCP connections. After editing the file, save and close it by entering CTRL+O to save and then CTRL+X to exit.

Restart the Memcached service with the systemctl command to apply the changes:

sudo systemctl restart memcached

Memcached listens to UDP connections using the following command:

sudo ss -plunt

If you have disabled TCP support and enabled IPv6 connections, you should get the following output:

[secondary_label Output] 
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process 
. . .
udp UNCONN 0 0* users:(("memcached",pid=8889,fd=28))
udp UNCONN 0 0 [::1]:11211 [::]:* users:(("memcached",pid=8889,fd=29))
. . .

Note that if you only enable IPv4 connections and enable TCP connections, your output may be different.

How to Configure Unix Domain Sockets

If you want to use Memcached with Unix domain sockets, you can enable support by editing the configuration file. Note that if you configure Memcached to use the Unix domain socket, Memcached disables TCP and UDP support, so before enabling socket support, make sure your applications do not need to connect using those protocols. Open /etc/memcached.conf using Nano or other editors, then add the following commands to the bottom of the file:

. . .
-s /var/run/memcached/memcached.sock
-a 660

The -a flag specifies the permissions in the socket file. Make sure the user to connect to Memcached is part of the Memcache group on your server, otherwise, a permission message will reject when you try to access the socket. Then, restart the Memcached service with the following command to apply the changes:

sudo systemctl restart memcached

Make sure Memcached listens to Unix domain socket connections using the following command:

sudo ss -lnx | grep memcached

The -x flag restricts the ss output to display socket files. You should receive the outputs as follows:

u_str LISTEN 0 1024 /var/run/memcached/memcached.sock 20234658 * 0

Now that you have configured the Memcached network settings, go to the next step, adding SASL for authentication to Memcached.

How to Add Authorized Users to Memcached

To add authentication users to the Memcached service, use Simple Authentication and Security Layer (SASL), which separates authentication procedures from application protocols. First, add SASL support to the server and configure the user with authentication. Also, enable SASL in the Memcached configuration file and verify that everything is working properly.

Adding a Verified User

To start adding SASL support, you must install the sasl2-bin package, which includes management programs for the SASL user database. This tool helps you create an authenticated user. To install this tool, run the following command:

sudo apt install sasl2-bin

Create a directory and file that Memcached checks the SASL configuration settings using the mkdir command:

sudo mkdir -p /etc/sasl2

Now create the SASL configuration file using nano or the editor:

sudo nano /etc/sasl2/memcached.conf

Add the following command:

log_level: 5
mech_list: plain
sasldb_path: /etc/sasl2/memcached-sasldb2

In addition to setting the report level, mech_list is set to plain, which indicates to Memcached that it must use its password file and confirm the plain text password. The last command you added specifies the path to the user database file that you will create in the next step. Save and close the file when done.

Now create a valid SASL database and use the saslpasswd2 command with the -c flag to create a new user entry in the SASL database. The user here will be Linda, but you can replace this name with your own. The -f flag specifies the path to the database. This is the path you set in /etc/sasl2/memcached.conf:

sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 linda

Give the SASL database ownership to the user and memcache group with the following chown command:

sudo chown memcache:memcache /etc/sasl2/memcached-sasldb2

You now have a SASL configuration that Memcached uses for authentication. Next, verify that Memcached is running with its default settings, then reconfigure it and verify that it works with SASL authentication.

How to Configure SASL Support of the Memcached

First test the connection of the Memcached instance with the memcstat command. This check helps determine if Memcached is running and properly configured before activating SASL and authenticating the user. After making changes to the configuration files, run the command again to check for different outputs. To verify that Memcached is enabled and running using the memcstat command, type the following:

memcstat --servers=""

If you are using IPv6, replace :: 1 with IPv4 If you are using a Unix domain socket, use the socket path instead of the IP address, for example –servers =/var/run/memcached/memached.sock. When you run the memcstat command and successfully connect to Memcached, you should get the following output:

Server: (11211)
pid: 2299875
uptime: 2020
time: 1632404590
version: 1.5.22
. . .

Tip: If you are using Memcached with UDP support, the memcstat command cannot connect to the UDP port. Use the following netcat command to confirm the connection:

nc -u 11211 -vz

If Memcached responds, you should get the output as follows:

Connection to 11211 port [udp/*] succeeded!

If you are using Memcached with IPv6 and UDP, the command should look like this:

nc -6 -u ::1 11211 -vz

Enable SASL now. Add the -S parameter to the configuration file. Reopen the file with Nano:

sudo nano /etc/memcached.conf

In the file, add the following command:

. . .

Next, find and ignore the -vv option, which provides full output to /var/log/memcached. The command without comment should be as follows:

. . .

Save and close the file. Restart the Memcached service using the systemctl command below:

sudo systemctl restart memcached

Check the journalctl report for Memcached to make sure SASL support is enabled:

sudo journalctl -u memcached |grep SASL

You should receive the output command as follows to indicate that SASL support is enabled:

Sep 23 17:00:55 memcached systemd-memcached-wrapper[2303930]: Initialized SASL.

Now try connecting to Memcached again. Despite SASL support and initialization, the following memcstat command must fail without valid authentication:

memcstat --servers=""

The command should not generate output. Enter the following shell command to check the status as follows:

echo $?

$? Always returns the exit code of the last command that came out. Anything other than 0 indicates process failure. In this case, you should get exit status 1, which indicates the failure of the memcstat command. Re-running memcstat, with the username and password, verifies that the authentication process works.

If you use different credentials, replace the following command with the values linda and your_password:

memcstat --servers="" --username=linda --password=your_password

You should receive the output as follows:

Server: (11211)
pid: 3831
uptime: 9
time: 1520028517
version: 1.4.25
. . .

Memcached is now configuring and executing with SASL support and user authentication.

Allowing Access Over the Private Network (Optional)

Memcached is configuring to listen only to the local loopback interface (, which protects the Memcached interface from being exposed to outside parties. There may be times when you need permission to access from other servers. You can configure it to connect Memcached to a private network interface.

How to Restrict IP Access with a Firewall

Before configuring settings, set firewall rules to restrict machines that can connect to your Memcached server. You must first record the private IP address of each device you used to connect to Memcached. Once you have a private IP address, add the explicit firewall rule to allow the device to access Memcached. If you are using a UFW firewall, restrict access to the Memcached instance by entering the following commands in the Memcached server:

sudo ufw allow from client_system_private_IP/32 to any port 11211

If more than one system has access to Memcached over a private network, be sure to add the ufw rules for each device using the above rule as a template. Make changes to the Memcached service to connect to the server’s private network interface.

Memcached Connection to Private Network Interface

Now that your firewall is in place, configure Memcached to connect to the server’s private network interface instead of Find the Memcached server’s private network interface using the IP command below.

ip -brief address show

Depending on the server network configuration, the output may differ.

Once you find the IP address or private addresses of the server, reopen the configuration file using Nano:

sudo nano /etc/memcached.conf

Find the -l command that you previously checked or modified, and change the address to match the server’s private network interface:

. . .
-l memcached_servers_private_IP
. . .

If you want Memcached to listen to multiple addresses, add another similar instruction for each address, either IPv4 or IPv6 using the -l memcached_servers_private_IP format. Save and close the file after completing the steps. Then restart the Memcached service:

sudo systemctl restart memcached

Check the new settings with ss to confirm the change:

sudo ss -plunt

Test your external customer connection to make sure you can still access the service. Also, check the access of an unauthorized client (try connecting without a username and password) to make sure your SASL authentication works properly. Also, try connecting to Memcached from another server that is not allowed to connect to make sure the firewall rules created are effective.


In this tutorial, you learned How To Install and Secure Memcached on Ubuntu 22.04. Also configure Memcached with IPv4, IPv6, TCP, UDP, and Unix domain sockets and how to secure your Memcached server by enabling SASL authentication. Finally, you learned how to connect Memcached to your local or private network interface and configure firewall rules to restrict access to Memcached. We hope you find this article useful. Share your comments with us via the form below.

Rate this post
Share this Post

Leave a Reply

Your email address will not be published. Required fields are marked *