Hi,
On Mon, Feb 26, 2018 at 05:15:24PM +0000, Stuart Henderson wrote:
> memcached installations are currently being actively used as DoS amplifiers.
> Can we change the default to listen on loopback only?
I like it. If committed, it probably should also get a remark in
current.html.
Ciao,
Kili
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/misc/memcached/Makefile,v
> retrieving revision 1.41
> diff -u -p -r1.41 Makefile
> --- Makefile 11 Jan 2018 19:27:04 -0000 1.41
> +++ Makefile 26 Feb 2018 17:14:47 -0000
> @@ -4,7 +4,7 @@ COMMENT= distributed memory object cachi
>
> DISTNAME= memcached-1.5.3
> CATEGORIES= misc
> -REVISION= 0
> +REVISION= 1
>
> HOMEPAGE= https://www.memcached.org/
>
> Index: pkg/README
> ===================================================================
> RCS file: /cvs/ports/misc/memcached/pkg/README,v
> retrieving revision 1.2
> diff -u -p -r1.2 README
> --- pkg/README 17 Jul 2017 08:35:08 -0000 1.2
> +++ pkg/README 26 Feb 2018 17:14:47 -0000
> @@ -4,13 +4,20 @@ $OpenBSD: README,v 1.2 2017/07/17 08:35:
> | Running ${FULLPKGNAME} on OpenBSD
> +-----------------------------------------------------------------------
>
> -Memcached relies on SASL as authentication mechanisms, if you could not
> -use it, it should be firewalled accordingly. You may wish
> -to add a rule such as the following to /etc/pf.conf:
> +From the upstream documentation, "Memcached does not spend much, if any,
> +effort in ensuring its defensibility from random internet connections.
> +So you must not expose memcached directly to the internet, or otherwise
> +any untrusted users. Using SASL authentication here helps, but should
> +not be totally trusted."
>
> - block on $ext_if proto tcp to ($ext_if) port 11211
> +The default setting in this package is now to listen on localhost only.
> +
> +To change to listening on all IP addresses (upstream's default), assuming
> +you have already firewalled appropriately:
> +
> +# rcctl set memcached flags '-u _memcached'
>
> An alternative is to listen on a unix socket in /var/run/memcached/sock,
> granting write permissions to users in group _memcached.
>
> -#rcctl set memcached flags '-u _memcached -s /var/run/memcached/sock -a 0660'
> +# rcctl set memcached flags '-u _memcached -s /var/run/memcached/sock -a 0660'
> Index: pkg/memcached.rc
> ===================================================================
> RCS file: /cvs/ports/misc/memcached/pkg/memcached.rc,v
> retrieving revision 1.4
> diff -u -p -r1.4 memcached.rc
> --- pkg/memcached.rc 11 Jan 2018 19:27:04 -0000 1.4
> +++ pkg/memcached.rc 26 Feb 2018 17:14:47 -0000
> @@ -3,7 +3,7 @@
> # $OpenBSD: memcached.rc,v 1.4 2018/01/11 19:27:04 rpe Exp $
>
> daemon="${TRUEPREFIX}/bin/memcached -d"
> -daemon_flags="-u _memcached"
> +daemon_flags="-u _memcached -l 127.0.0.1"
>
> . /etc/rc.d/rc.subr
>
No comments:
Post a Comment