24 Jan 2019

Guide for letting memcached only listen on localhost

Are you concerned about the security while using memcached on your server with Railgun? There is a solution by letting memcached only listen on localhost i.e. 127.0.0.1 IP. Doing so, remote access is not possible with the memcached setup on your server. This will make your system one step ahead to security. This can be done with few numbers of steps.

Requirements

  • Root/Sudo Access to the Server

Procedure

  1. Log in to the server using root user or sudo user.
  2. Check the default port to which memcached is listening
    cat /etc/sysconfig/memcached
    memcached config
    In our case, it is listening to 11211 Port
  3. Check on what interfaces memcached is available.
    netstat -utanp | grep memcache
    or check using Port 11211 from memcached config
    netstat -an | grep ":11211"
    listening ports with remote connections
    With default config, it must be listening to all the local as well as remote connections.
  4. Restrict memcached to listen on localhost only i.e. 127.0.0.1 IP by editing Memcached config located at /etc/sysconfig/memcached
    Edit the config file and change the last line with the OPTIONS variable to the following and save it
    OPTIONS="-l 127.0.0.1"
  5. Restart Memcached
    service memcached restart
  6. Restart Railgun if you are using it
    service railgun restart
  7. Now, check on what interfaces memcached is available. You’ll notice it only listens on localhost (127.0.0.1).
    netstat -utanp | grep memcache
    or check using Port 11211 from memcached config
    netstat -an | grep ":11211"
    listening ports only with localhost

With this, we have restricted memcached to listen on localhost.