Replied ;-) //Logan C-x-C-c
On Sun, Aug 8, 2010 at 2:24 PM, Dustin <[email protected]> wrote: > > I wrote a blog post on memcached security since people keep talking > about it: > > http://dustin.github.com/2010/08/08/memcached-security.html > > Please either argue with me about it (it's approaching 4, so that's > probably not my best writing), or make people look at it. Maybe > both. If you have more, we'll link to more. > > Basically, it comes down to this: > > 1) Don't run public services you don't intend to. > 2) Don't run memcached as root (I can't imagine why someone would > do this, but I mention it whenever I can). > > Amazon sent out an email to many of their users pointing out the > misconfigurations (see below). They referred to a ``vulnerability.'' > I don't particularly like that word, but if it'll make people think > about it, sure. The vulnerability here is that a service that you > have no business (or in most cases, even desire to be) running > publicly has ``features'' you didn't know about that let people do > more than just slow your site down. > > ------- > We've sent you this email to let you know that we have observed that > you may be running memcached in an insecure configuration. > Specifically, we have noticed that you have at least one security > group that allows the whole internet to have access to the port most > commonly used by memcached (11211). > > There has been a lot of recent attention by the security community > about the lack of access controls on memcached and recently some > exploits have been published. This has highlighted the importance of > running with strict access controls. While we are not aware of any > unauthorized access to your Amazon EC2 instances, we do believe you > should have your technical team look at this immediately. > > We suggest that you audit your security group settings and restrict > access to only the instances and IP addresses that need access. Most > users only authorize other Amazon EC2 instances to access their > memcached server. If you need to access your memcached server from > outside of Amazon EC2, you can also authorize just trusted addresses > to access your security group. > > If you need additional assistance, you can reach our Premium Support > team by sending email to [email protected]. > ------- -- `` Real men run current !''
