Handy bit of Information: Memcached Exposure

1 reply [Last post]
Joined: 06/01/2012
Points: 26

Recently i noticed a bit of extra failed connections in my router logs. Seems i had made a misstep when configuring kaltura, and it could be a potential security risk for the system.

The mistake i made was exposing memcached to the outside world, rather than keeping it internally bound..

Different OS's may vary, I'm going to cover some linux commons though:

NOTICE:

This was performed on CentOS 5.7, and KalturaCE 5. There may be differences if running a different version of Kaltura, or a different OS, this is not a step-by-step tutorial, but rather a general information howto document..

Once your memcached is installed, you'll need to configure it. The default port for memcached is 11211, this can be changed, and i would advise people to do so. This is a small step for security by obfuscation.

Secondly, You'll need to make sure your memcaced is bound locally, or only on internal IP addresses. This will keep memcached from gloming onto the nearest external IP by accident. There are several methods to doing this, the fastest is with the command:

memcached -d -u nobody -m 1024 127.0.0.1 -p 11211

In this instance, i used the internal loopback IP for localhost.. 127.0.0.1, i also left the port as default for demonstration purposes.

Next you'll want to make sure your bound to an internal IP in the sysconfig file as well if your distro uses such a thing (centOS does)

easymode:

nano /etc/sysconfig/memcached

add or edit the following line:

OPTIONS="-l 127.0.0.1"

And finally we'll need to make sure kaltura doesn't try to access memcached on an external server IP via DNS resolution, so we'll edit the memcached settings in kConfigLocal.php

nano /opt/kaltura/app/alpha/config/kConfLocal.php

edit the following two lines to reflect your IP address, and memcached port:

                                "memcache_host" => "127.0.0.1",
                                "memcache_port" => "11211",
   ... ... ... ... ...
                                "global_memcache_host" => "127.0.0.1",            
                                "global_memcache_port" => "11211",

Once again, i've used the internal localhost loopback IP, and default memcached port

(you may be able to substitute 127.0.0.1 with the word " localhost ")

I hope you find this information useful, and helpful. Thanks for reading, and may you have many happy Kaltura adventures!

:)

Joined: 11/02/2010
Points: 4

Nice post, really liked that. can you please specify the risks of keeping your memcache open to outside machines?

And what about multiple servers installations? will i need to reach any other memcache on another machine? or should i set the global memcache to by the server itself for each server?