atom feed5 messages in com.googlegroups.memcachedSecuring memcached using IPTABLES
FromSent OnAttachments
hoosApr 8, 2011 2:16 pm 
DustinApr 8, 2011 2:40 pm 
Brian MoonApr 8, 2011 3:01 pm 
Hussein BadakhchaniApr 10, 2011 2:47 pm 
DustinApr 10, 2011 6:13 pm 
Subject:Securing memcached using IPTABLES
From:hoos (huss@gmail.com)
Date:Apr 8, 2011 2:16:37 pm
List:com.googlegroups.memcached

Hello group, I've been looking at ways to secure access to memcached as it a key requirement of our target deployment architecture. I've followed the suggestions in David Block's blog at:

http://blog.codesherpas.com/on_the_path/2010/08/securing-memcache-in-2-minutes.html

However we really need a mechanism to secure access to memcached for authorised users, locking out unauthorised users that exist on the same machine as memcached. While the SASL authentication meets the security requirement we believe it would cause a significant degradation in performance (although I haven't load tested a SASL enabled memcached and cannot quantify the loss in performance). Furthermore not all clients support SASL authentication, most notably the nginex modules don't support it and that really torpedoes the SASL option.

Instead we are considering the use of IPTABLES using the owner module to be enable filtering of packets based on UID for example the following iptables command rejects any packets bound for the memcached daemon which have not been created by the memclient user:

iptables -A INPUT -p tcp --dport 11111 -d 127.0.0.1 -m owner ! --uid- owner memclient -j REJECT

This approach is simple to implement and provides the minimum level security we need.

Another approach is to use UNIX domain sockets instead of TCP and secure the domain socket however this method also suffers from a lack of client support.