Memcached is a buzzword whenever it comes to the cache mechanism for modern-day web applications. It is a memory object caching system specifically designed to enhance the speed of web applications by reducing load on the database server.
In simpler terms, it takes the memory from that part of the system which is not in use or unnecessary and assigns it to the part which requires memory. By doing so, the web server may not majorly deal with the cache. It optimizes backend database performance by reducing the number of requests coming in directly to the database.
In this article, we'll see how to securely install and configure memcached on an Ubuntu server, and we'll go through proper authentication to secure Memcached using Simple Authentication and Security Layer (SASL). In practice, we usually bind Memcached to a private network to ensure the access is limited to trusted authenticated users only.
Step 1: Installing Memcached
If you do not have Memcached installed on your Ubuntu server, you can simply install it from the official Ubuntu repositories.
Firstly, make sure that your local package is updated using the following command:
$ sudo apt update
Next, proceed towards package installation, for which you need to execute the following command:
$ sudo apt install memcached
In addition to memcached, you can also install libmemcached-tools. The package contains several tools to examine, test and manage the Memcached server. To install libmemcached-tool, you need to execute the following command:
$ sudo apt install libmemcached-tools
Memcached and its tools to check connectivity are now successfully installed as a service on the server.
To check if the service is up and running, you execute the following command:
$ sudo systemctl status memcached
By default, it should be running once it's installed. In case the service is inactive, you can always start the service by executing the following command:
$ sudo systemctl start memcached
Now, let's check the Memcached version by running the following command:
$ memcached –version memcached 1.6.14
Alternate method
You can simply download the zipped package from the official website using the wget command.
$ wget -c https://memcached.org/files/memcached-1.6.15.tar.gz
Now, unzip the zipped file to access the contents using the following command:
$ tar -zxvf memcached-1.6.15.tar.gz
Again, list down the contents inside and navigate to the memcached-1.6.15 directory.
$ ls && cd memcached-1.6.15/
Now install the libevent-dev package because it is the dependency of memcached.
$ sudo apt install libevent-dev -y
Finally, configure and compile all the files using the make command and then install all the compiled files.
$ ./configure && make && make test && sudo make install
You can again do a version check by executing the following command:
$ memcached –version memcached 1.6.15
Now, you can proceed towards network configurations.
Step 2 - Memcached Network Configurations
In this section, we'll be talking about some additional network configurations which may or may not be performed depending on the use case. If there's a requirement for Memcached to use UDP sockets, Unix Domain Sockets, or add support for IPv6 connections, then we'll go through the steps mentioned below.
Initially, make sure that the Memcached server is listening on the local IPc4 loopback interface 127.0.0.1. The current version of Memcached that comes with Ubuntu and Debian has its -l configuration parameter set to the local interface, meaning it can only accept connections from the server where Memcached is active or running.
We use 'ss' command to verify that Memcached is currently bound to the local IPv4 127.0.0.1 interface and listens to TCP connections strictly.
$ sudo ss -plunt
The various flags will alter ss output in the following ways:
- -p adds the name of the process that is using a socket
- -l limits the output to listening sockets only, as opposed to including connected sockets also to other systems
- -u includes UDP based sockets in the output
- -n displays numeric values in the output instead of human-readable names and values
- -t includes TCP based sockets in the output
The output should be similar to the following:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
. . .
tcp LISTEN 0 1024 127.0.0.1:11211 0.0.0.0:* users:(("memcached",pid=8889,fd=26))
. . .
The output confirms that Memcached is bound to the IPv4 loopback 127.0.0.1 address using the TCP protocol only.
Now that you've set it up for all IPv4 connections, you can edit the /etc/memcached.conf file to add support for UDP, Unix Domain Sockets or IPv6 connections.
IPv6 configuration
You can enable IPv6 connections simply by editing the /etc/memcached.conf file. First, you have to open the file with a preferred editor.
$ sudo nano /etc/memcached.conf
Now, find the line that looks like
. . . -l 127.0.0.1
Now, add another line just below it with the IPv6 loopback address (::1)
-l 127.0.0.1 -l ::1
Finally, save the file, close the editor and restart memcached service using the systemctl command.
$ sudo systemctl restart memcached
Verify that memcached is also listening to the IPv6 connections by executing the 'ss' command as mentioned above.
UDP configuration
As mentioned earlier, Memcached can also be used with UDP sockets. To enable UDP support, you need to perform the exact same steps you did for setting up IPv6 configuration.
Open the file /etc/memcached.conf with a preferred editor, go to the bottom and add the following line:
. . . -U 11211
Again, you'll have to save the file, close the editor and restart the service.
$ sudo systemctl restart memchaced
To verify if the connections are properly set for UDP, you execute the previously mentioned 'ss' command.
$ sudo ss -plunt
It will list down all the connections set for the memcached service.
Unix Domain Sockets configuration
To enable support for Unix Domain Sockets, you'll have to make changes in the /etc/memcached.conf file. Before proceeding, ensure that the TCP and the UDP connections are disabled so that the application cannot be connected via these protocols.
Then, edit the /etc/memcached.conf file by opening it with a preferred editor.
Right at the bottom of the file, add the following lines:
. . . -s /var/run/memcached/memcached.sock -a 660
Now, restart the memcached service by executing the following command:
$ sudo systemctl restart memcached
Finally, verify if Memcached is listening for Unix Domain Sockets by implementing the 'ss' command.
$ sudo ss -lnx | grep memcached
Sample Output
u_str LISTEN 0 1024 /var/run/memcached/memcached.sock 20234658
Step 3 - Add Authorized Users
You can use Simple Authentication and Security Layer (SASL), a framework that decouples authentication procedures from application protocols to authenticate valid users to the Memcached service.
First, add SASL to the Memcached server and then add a user with authentication credentials. Then, enable SASL on Memcached's configuration file and verify if everything is put in place.
Start by installing the sas12-bin package, which has all the administrative programs for the SASL user database. It allows us to create an authenticated user or a group of users.
$ sudo apt install sasl2-bin
Now, create the directory and file that Memcached will check for its SASL configuration settings by executing the following command:
$ sudo mkdir -p /etc/sasl2
You can create the SASL configuration file using nano or any preferred editor.
$ sudo nano /etc/sasl2/memcached.conf
Next, add the following lines:
log_level: 5 mech_list: plain sasldb_path: /etc/sasl2/memcached-sasldb2
In addition to specifying the logging level, mech_list is set to plain, which tells Memcached that it should use its own password file and verify a plaintext password. The last line that reads sasldb_path specifies the path to the user database file that you will create next.
To create a SASL database with user credentials, you'll use the saslpasswd2 command with the '-c' flag to create a new user entry in the SASL database. Call your user 'test'. The '-f' flag specifies the path to the database, which will be the path that is set in /etc/sasl2/memcached.conf.
$ sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 test
Finally, give the memcache user and group ownership over the SASL database with the following command to have sufficient privileges:
$ sudo chown memcache:memcache /etc/sasl2/memcached-sasldb2
SASL Support configuration
First, check the connectivity of the Memcached server with the memcstat command. It will help you figure out that Memcached is up and running and correctly configured before SASL and user authentications are enabled.
Execute the following command:
$ memcstat --servers="127.0.0.1"
If the connection is successful, you should see similar output:
Server: 127.0.0.1 (11211)
pid: 2299875
uptime: 2020
time: 1632404590
version: 1.5.22
. . .
Now, you can move on to enabling SASL. To do so, you'll have to add the '-S' parameter to /etc/memcached.conf. Open the file with a preferred editor.
$ sudo nano /etc/memcached.conf
Right at the bottom of the file, add the following line:
. . . -S
Again, on the same file, find and uncomment the '-vv' option, which will provide verbose output to /var/log/memcached.
. . . -vv
Finally, save the file and close it. Again, restart the memcached service using the systemctl command:
$ sudo systemctl restart memcached
You can check the journalctl logs for Memcached to be sure that SASL support is enabled. To do that, execute the following command:
$ sudo journalctl -u memcached |grep SASL
Upon executing the above command, you should get an output similar to the following:
Sep 11 17:00:55 memcached systemd-memcached-wrapper[2303930]: Initialized SASL.
Now, check the connectivity to Memcached again.
With SASL support in place and initialized, the following memcstat command should fail without valid authentication credentials.
$ memcstat --servers="127.0.0.1"
Notice that it will not produce any output as the user credentials are not provided.
Try again by running the following command:
$ memcstat --servers="127.0.0.1" --username=test --password=your_password
Now, it yields an output that looks like the following:
Sample output
Server: 127.0.0.1 (11211)
pid: 3831
uptime: 9
time: 1520028517
version: 1.4.25
. . .
Hence, you have verified that the Memcached service is now configured and running with SASL support and user authentication.
Step 4 - Private Network Access
Originally, Memcached listens on the local loopback (127.0.0.1) interface only, which safeguards the Memcached interface from external parties. However, there are few scenarios where you might need to grant access from particular servers.
In this case, you can configure Memcached's network settings to bind it to a private network.
Firewall Setup
It is a good practice to set up firewall rules to limit the computers that can connect to the Memcached server. You must have a private IP assigned to the system beforehand. Once that is done, you will have to add an explicit firewall rule to allow the machine to access the Memcached server.
If you're using UFW firewall, you can execute the following command:
$ sudo ufw allow from <client_system_private_IP>/32 to any port 11211
Note: If more than one system needs access to the Memcached server, you must add all of them individually to the ufw rules.
Binding Memcached to the Private Network Interface
Firstly, find the private network interface for the Memcached server using the following command:
$ ip -brief address show
Sample output
Output lo UNKNOWN 127.0.0.1/8 ::1/128 eth0 UP 201.10.13.1/20 10.10.0.5/16 2001:DB8::1/64 fe80::7ced:9ff:fe52:4695/64 eth1 UP 192.168.5.95/16 fe80::2cec:92ff:fe21:8bc4/64
The IPv4 addresses on the eth0 line are the public IP addresses of the server.
On the eth1 line, 192.168.5.95 is the private IPv4 address and fe80::2cec:92ff:fe21:8bc4 is the private IPv6 address.
Once you figure out the system's private IP address, open and edit the /etc/memcached.conf file using a preferred editor. Run the below command to do so.
$ sudo nano /etc/memcached.conf
Now, find the line that looks as follows:
. . . -l 127.0.0.1 . . .
Change 127.0..0.1 to the Memcached server's IP address.
. . . -l memcached_servers_private_IP . . .
Save and close the config file and restart the memcached service as you've done in the previous examples.
$ sudo systemctl restart memcached
To verify if everything is set correctly, execute the below command:
$ sudo ss -plunt
Sample output
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
. . .
tcp LISTEN 0 1024 192.168.5.95:11211 0.0.0.0:* users:(("memcached",pid=8991,fd=27))
. . .
You'll notice that the private IP of the client system now pops up in the 'Local address: Port' section of the output. You can test it from the client's system as well to see if the connection has been set properly.
Conclusion
Memcached is an open source application that majorly operates on php-based dynamic web applications by reducing the load or the traffic coming in directly to the database server for which there's almost zero latency between clicking and retrieving any data.
In this article, we've explored two ways of securely installing Memcached on Ubuntu - by installing the default Ubuntu repository and by downloading the package directly from the website.
Additionally, here, we have explored how to configure Memcached with IPv4, IPv6, TCP, UDP and Unix Domain Sockets. We have also learnt to secure the Memcached server by enabling SASL authentication.
Finally, for security purpose, we've figured out how to bind the Memcached to a private network and configure firewall rules to limit access to Memcached.
