Memcached Hardening for DevSecOps
Table of contents
- Disable UDP listener
- Enable SASL authentication
- Limit incoming traffic to known IP addresses
- Limit maximum memory usage
- Run as non-root user
- Enable logging
- Upgrade to the latest version
- Disable unused flags
List of some best practices to harden Memcached for DevSecOps
Disable UDP listener
sed -i 's/^-U 0/#-U 0/g' /etc/sysconfig/memcached
Enable SASL authentication
sed -i 's/^#-S/-S/g' /etc/sysconfig/memcachedyum install cyrus-sasl-plainhtpasswd -c /etc/sasl2/memcached-sasldb usernamechmod 600 /etc/sasl2/memcached-sasldb
Limit incoming traffic to known IP addresses
iptables -A INPUT -p tcp --dport 11211 -s 192.168.1.100 -j ACCEPT
Limit maximum memory usage
echo 'CACHESIZE="128"' > /etc/sysconfig/memcached
Run as non-root user
sed -i 's/^-u root/-u memcached/g' /etc/sysconfig/memcached
Enable logging
sed -i 's/^logfile/#logfile/g' /etc/sysconfig/memcachedmkdir /var/log/memcachedtouch /var/log/memcached/memcached.logchown memcached:memcached /var/log/memcached/memcached.logsed -i 's/^#logfile/LOGFILE="\/var\/log\/memcached\/memcached.log"/g' /etc/sysconfig/memcached
Upgrade to the latest version
yum update memcached
Disable unused flags
sed -i 's/^-I 1m/#-I 1m/g' /etc/sysconfig/memcachedsed -i 's/^-a 0765/#-a 0765/g' /etc/sysconfig/memcached