I wrote a blog post on memcached security since people keep talking
about it:
http://dustin.github.com/2010/08/08/memcached-security.html
Please either argue with me about it (it's approaching 4, so that's
probably not my best writing), or make people look at it. Maybe
both. If you have more, we'll link to more.
Basically, it comes down to this:
1) Don't run public services you don't intend to.
2) Don't run memcached as root (I can't imagine why someone would
do this, but I mention it whenever I can).
Amazon sent out an email to many of their users pointing out the
misconfigurations (see below). They referred to a ``vulnerability.''
I don't particularly like that word, but if it'll make people think
about it, sure. The vulnerability here is that a service that you
have no business (or in most cases, even desire to be) running
publicly has ``features'' you didn't know about that let people do
more than just slow your site down.
-------
We've sent you this email to let you know that we have observed that
you may be running memcached in an insecure configuration.
Specifically, we have noticed that you have at least one security
group that allows the whole internet to have access to the port most
commonly used by memcached (11211).
There has been a lot of recent attention by the security community
about the lack of access controls on memcached and recently some
exploits have been published. This has highlighted the importance of
running with strict access controls. While we are not aware of any
unauthorized access to your Amazon EC2 instances, we do believe you
should have your technical team look at this immediately.
We suggest that you audit your security group settings and restrict
access to only the instances and IP addresses that need access. Most
users only authorize other Amazon EC2 instances to access their
memcached server. If you need to access your memcached server from
outside of Amazon EC2, you can also authorize just trusted addresses
to access your security group.
If you need additional assistance, you can reach our Premium Support
team by sending email to [email protected].
-------
