Hello group, I've been looking at ways to secure access to memcached as it a key requirement of our target deployment architecture. I've followed the suggestions in David Block's blog at:
http://blog.codesherpas.com/on_the_path/2010/08/securing-memcache-in-2-minutes.html However we really need a mechanism to secure access to memcached for authorised users, locking out unauthorised users that exist on the same machine as memcached. While the SASL authentication meets the security requirement we believe it would cause a significant degradation in performance (although I haven't load tested a SASL enabled memcached and cannot quantify the loss in performance). Furthermore not all clients support SASL authentication, most notably the nginex modules don't support it and that really torpedoes the SASL option. Instead we are considering the use of IPTABLES using the owner module to be enable filtering of packets based on UID for example the following iptables command rejects any packets bound for the memcached daemon which have not been created by the memclient user: iptables -A INPUT -p tcp --dport 11111 -d 127.0.0.1 -m owner ! --uid- owner memclient -j REJECT This approach is simple to implement and provides the minimum level security we need. Another approach is to use UNIX domain sockets instead of TCP and secure the domain socket however this method also suffers from a lack of client support.
