B.4 Securing Memcached

Memcached was not designed for authentication and is protected only by firewalls and similar mechanisms.

Viable options include the following:

  • Set up an SSL tunnel between memcached and instances of Tomcat.

  • Use SASL for authentication.

  • Use the Lucene server’s firewall to allow access only from the Vibe servers that run Vibe Tomcat.

    For example:

    1. At the terminal prompt on the Lucene server, run the following command for each Vibe server that needs access:

      iptables -A INPUT -s ip_of_allowed_server -p tcp --dport 11211 -j ACCEPT Where ip_of_allowed_server is the IP address of one of the Vibe servers needing access.

      For example:

      iptables -A INPUT -s 192.168.1.61 -p tcp --dport 11211 -j ACCEPT

    2. Repeat Step 1 until all of the Vibe servers that need access are allowed to communicate through the Lucene server’s firewall.

    3. Run the following command to block access by all other servers:

      iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 11211 -j DROP