Posted July 11th, 2018 | 335

n3p_1ce

*The Base Image for this tutorial is a Digital Ocean CentOs 7.5 Image with 1GB Memory and 25GB Diskspace.

 

Connecting to your Server

You will need a SSH-Client like Putty if you are coming from Windows. On Unix-OS like OSX and Linux you can use terminal.

After connecting to the server you will be greeted by the following screen:

If you are logged in as root, it is highly recommended that you create another account and add this account to the wheel group. To achieve this, you have to type the following on the terminal.

adduser <username>

where <username> can be any name you would like to have for the account. For this tutorial, we are going to create the user “corefinity”.

adduser corefinity

After hitting Enter, you need to assign a password to this user, as it won’t be enabled like in Ubuntu without doing so. To achieve this, you need to type

passwd corefinity

and repeat the password twice. You now have created your first user.

Unfortunately, this user doesn’t have any root-permissions yet, but we are going to change this now

As we are still logged in as root, we are now going to add our corefinity-user to the group of wheel.

usermod -aG wheel corefinity

will achieve this. We now have a non-root account, which can install software and updates.

To switch to this user, we need to type

su corefinity

and to exit this user and return to root, we just need to type

exit

and hit enter. Now we just need to update the packages for yum, whoich we can do by typing

sudo yum update –y

 

Installing memcached and additional libraries

After updateing yum, we will install memcached and libmemcached libraries. Additional to that and for security reasons, we are going to install a firewall and and cyrus-authentication libraries. We can achieve this by typing

sudo yum install memcached libmemcached cyrus-sasl-devel cyrus-sasl-plain nano firewalld -y

To secure our memcached-setup, we are now going to edit the file /etc/sysconfig/memcached with nano by typing:

sudo nano /etc/sysconfig/memcached

and change the block

###############

PORT="11211"

USER="memcached"

MAXCONN="1024"

CACHESIZE="64"

OPTIONS=""

###############

to

###############

PORT="11211"

USER="memcached"

MAXCONN="1024"

CACHESIZE="64"

OPTIONS="-l 127.0.0.1 –U 0 –S -vv"

#########

And save the file with ctrl-o and close it with ctrl-x. We now told memcached to only listen on the local IP address and disabled the UDP port, as it is quite often used for DDOS attacks. Additional to that, we added SASL authentication with the –S parameter and verbose-logging with the –vv parameter.

Now we need to stop memcached by typing

sudo systemctl stop memcached

We will no enable the password-authentication for memcached, to further improve the security. To do so, we have first to create a folder named sasl2 and then a file named memcached.conf. We can achieve this by first typing

sudo mkdir /etc/sasl2

and after that

sudo nano /etc/sasl2/memcached.conf

We now have opened our beloved text editor and need to insert the following code into the file:

###############

mech_list: plain

log_level: 5

sasldb_path: /etc/sasl2/memcached-sasldb2

###############

Afterwards we save the file with ctrl-o and close it with ctrl-x.

We are now going to create a user and a password for memcached by typing

sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 <username>

where we are going to choose corefinity_memcached:

sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 corefinity_memcached

You will be prompted for a new password twice. For this tutorial, we choose corfefinity_rules. We now need to transfer the ownership to the memcached usern so it can read the file. Type

sudo chown memcached:memcached /etc/sasl2/memcached-sasldb2

and hit enter. Now it’s timke to start the memcached server again. This will be done by the command

sudo systemctl start memcached

If everything went well, we can now try the following command to connect without a username and a password:

memstat --servers="127.0.0.1"

We shouldn’t get any output, as we didn’t pass any username or password.

If we now type

memstat --servers="127.0.0.1" --username=corefinity_memcached --password=corefinity_rules

we will get output similar to the below screenshot.

Congratulations! You have installed memcached on your CentOS server, closed the UDP port and secured it even further by adding username and password authentication!