Monday, February 26, 2018

memcached: default to loopback

memcached installations are currently being actively used as DoS amplifiers.
Can we change the default to listen on loopback only?

Index: Makefile
===================================================================
RCS file: /cvs/ports/misc/memcached/Makefile,v
retrieving revision 1.41
diff -u -p -r1.41 Makefile
--- Makefile 11 Jan 2018 19:27:04 -0000 1.41
+++ Makefile 26 Feb 2018 17:14:47 -0000
@@ -4,7 +4,7 @@ COMMENT= distributed memory object cachi

DISTNAME= memcached-1.5.3
CATEGORIES= misc
-REVISION= 0
+REVISION= 1

HOMEPAGE= https://www.memcached.org/

Index: pkg/README
===================================================================
RCS file: /cvs/ports/misc/memcached/pkg/README,v
retrieving revision 1.2
diff -u -p -r1.2 README
--- pkg/README 17 Jul 2017 08:35:08 -0000 1.2
+++ pkg/README 26 Feb 2018 17:14:47 -0000
@@ -4,13 +4,20 @@ $OpenBSD: README,v 1.2 2017/07/17 08:35:
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------

-Memcached relies on SASL as authentication mechanisms, if you could not
-use it, it should be firewalled accordingly. You may wish
-to add a rule such as the following to /etc/pf.conf:
+From the upstream documentation, "Memcached does not spend much, if any,
+effort in ensuring its defensibility from random internet connections.
+So you must not expose memcached directly to the internet, or otherwise
+any untrusted users. Using SASL authentication here helps, but should
+not be totally trusted."

- block on $ext_if proto tcp to ($ext_if) port 11211
+The default setting in this package is now to listen on localhost only.
+
+To change to listening on all IP addresses (upstream's default), assuming
+you have already firewalled appropriately:
+
+# rcctl set memcached flags '-u _memcached'

An alternative is to listen on a unix socket in /var/run/memcached/sock,
granting write permissions to users in group _memcached.

-#rcctl set memcached flags '-u _memcached -s /var/run/memcached/sock -a 0660'
+# rcctl set memcached flags '-u _memcached -s /var/run/memcached/sock -a 0660'
Index: pkg/memcached.rc
===================================================================
RCS file: /cvs/ports/misc/memcached/pkg/memcached.rc,v
retrieving revision 1.4
diff -u -p -r1.4 memcached.rc
--- pkg/memcached.rc 11 Jan 2018 19:27:04 -0000 1.4
+++ pkg/memcached.rc 26 Feb 2018 17:14:47 -0000
@@ -3,7 +3,7 @@
# $OpenBSD: memcached.rc,v 1.4 2018/01/11 19:27:04 rpe Exp $

daemon="${TRUEPREFIX}/bin/memcached -d"
-daemon_flags="-u _memcached"
+daemon_flags="-u _memcached -l 127.0.0.1"

. /etc/rc.d/rc.subr

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)