Securing Memcached with a Firewall

According to the Memcached documentation, "you must not expose memcached directly to the internet, or otherwise any untrusted users." Memcached was not designed to be secure without a firewall blocking access from all IP addresses except those that belong to your own application servers.

With HeatShield, you can restrict access to your server that uses Memcached so it can only be accessed from the IP addresses that need to communicate with it.

For example, if you access your Memcached server from multiple web servers, you can create a ruleset in HeatShield to open the Memcached port on your Memcached server to only your web servers.

Limiting Memcached to a Set of IP Addresses

To use HeatShield to limit access to your Memcached server, you can create a new ruleset that contains only the rules related to Memcached. If you have multiple Memcached servers, you can apply this ruleset to each Memcached server.

First, connect your server to HeatShield and upgrade it to use custom rulesets.

Then, open your Rulesets page and click Create Ruleset.

Next, name your ruleset and click Create Ruleset.

Now, create a new firewall rule by selecting the policy, the destination, and the source.

Set the Policy to Allow.

Select Custom from the Destination dropdown and enter TCP 11211 as the Memcached port.

Select Custom from the Source dropdown and enter the first IP address you want to allow access to Memcached. This could be the IP address of one of your web servers, for example. Click Add.

Repeat this step for each additional IP address you want to allow access to Memcached. You'll have a list similar to this example:

Applying the Memcached Ruleset

To apply your new Memcached ruleset to your server, open the server in HeatShield.

Select your Memcached Server ruleset from the drop-down list and click Apply Ruleset.

Your new ruleset will be applied.

Last updated: September 01, 2016

Still Have Questions?

Don't hesitate to contact us if you can't find the answers to your questions.