View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us

Install and Secure Memcached on Debian 11 and Ubuntu 22.04

Published by Dan Nielsen
Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.

Memcached is an in-memory key-value store for small chunks of arbitrary data. Memcached is often used to enhance web application performance and scalability by temporarily caching frequently accessed data and reducing direct requests to databases.

This guide walks through the installation steps for Memcached on Debian 11 and Ubuntu 22.04 LTS systems. Additionally, it goes over multiple solutions for securing your Memcached installation, including SASL authentication and adding firewall rules with UFW.

Before You Begin

  1. If you do not already have a virtual machine to use, create a Compute Instance with at least 4 GB of memory. See our Getting Started with Linode and Creating a Compute Instance guides.

  2. Follow our Setting Up and Securing a Compute Instance guide to update your system. You may also wish to set the timezone, configure your hostname, create a limited user account, and harden SSH access.

  3. Follow our How to Configure a Firewall with UFW guide to install UFW, allow SSH access, and enable the firewall.

Note
This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, see the Users and Groups guide.

Install Memcached

Memcached is available from the official Debian and Ubuntu repositories.

  1. First, install Memcached:

    sudo apt install memcached

  2. Next, install libmemcached-tools, a library that provides several tools for interacting with Memcached servers:

    sudo apt install libmemcached-tools

  3. Verify that Memcached is installed and running:

    sudo systemctl status memcached

    The expected output should resemble:

    ● memcached.service - memcached daemon
     Loaded: loaded (/lib/systemd/system/memcached.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-06-06 11:29:42 EDT; 18s ago

    Press the Q to exit the status output and return to the terminal prompt.

  4. Make sure that Memcached is listening on the default address:

    sudo ss -plunt | grep memcached

    By default, there should only be one IPv4 localhost (127.0.0.1) entry for Memcached:

    tcp   LISTEN 0      1024       127.0.0.1:11211      0.0.0.0:*    users:(("memcached",pid=1789,fd=26))

  5. Use the memcstat tool to check the status of Memcached on 127.0.0.1:

    memcstat --servers="127.0.0.1"
    Server: 127.0.0.1 (11211)
     pid: 1789
     uptime: 420
     time: 1717688200
     version: 1.6.9
...

Securing the Installation

The following sections cover various solutions for securing a Memcached installation. These steps are not strictly necessary when Memcached listens locally. However, if Memcached is exposed over a network, all of these sections should be completed to protect it from unauthorized access and other potential security threats.

Open External Access and Disable UDP

  1. Using a text editor, open the /etc/memcached.conf file:

    sudo nano /etc/memcached.conf

    The default Memcached network address on Debian and Ubuntu is the local address (127.0.0.1). To open Memcached over the network, add your Compute Instances’s external IP address. Disabling UDP using -U 0 in the configuration is also recommended when opening Memcached access.

    Save your changes once you are done editing the configuration file.

    File: /etc/memcached.conf
    31
32
33
34
35
36
37
38
39
40
41
42
43

    ...
# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1
-l IP_ADDRESS

# Disable UDP
-U 0

# Limit the number of simultaneous incoming connections. The daemon default is 10>
# -c 1024
...

  2. Restart Memcached to apply the changes:

    sudo systemctl restart memcached

  3. Verify the network changes with the ss and grep commands from before:

    sudo ss -plunt | grep memcached

    There should now be a second Memcached entry for your compute instance’s external IP address:

    tcp   LISTEN 0      1024        IP_ADDRESS:11211      0.0.0.0:*    users:(("memcached",pid=2477,fd=27))
tcp   LISTEN 0      1024         127.0.0.1:11211      0.0.0.0:*    users:(("memcached",pid=2477,fd=26))

  4. Use the memcstat tool to check the status of Memcached on your Compute Instance’s external IP address. Replace IP_ADDRESS with your instance’s IP:

    memcstat --servers="IP_ADDRESS"
    Server: IP_ADDRESS (11211)
     pid: 2477
     uptime: 203
     time: 1717688684
     version: 1.6.9
...

Add Firewall Rules

The below steps use ufw to manage firewall rules.

  1. Add a single firewall rule to allow limited access to port 11211 from a remote machine. Replace CLIENT_IP_ADDRESS with the IP address of the remote machine you want to access the Memcached server from:

    sudo ufw allow proto tcp from CLIENT_IP_ADDRESS to any port 11211
    Rule added

  2. Verify that the rule has been added to UFW:

    sudo ufw status
    Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
11211/tcp                  ALLOW       CLIENT_IP_ADDRESS
22/tcp (v6)                ALLOW       Anywhere (v6)

  3. From the remote client machine, run memcstat again on your Compute Instance’s external IP_ADDRESS to confirm a connection:

    memcstat --servers="IP_ADDRESS"
    Server: 172.233.162.226 (11211)
     pid: 2477
     uptime: 1102
     time: 1717689583
     version: 1.6.9
    Note
    The remote client machine must also have Memcached and libmemcached-tools installed.

Install and Configure SASL

Memcached doesn’t provide internal authentication procedures. However, Simple Authentication and Security Layer (SASL) can be used to provide authentication to Memcached. SASL is a framework that de-couples authentication procedures from application protocols.

  1. First, install SASL:

    sudo apt install sasl2-bin

  2. Next, create the directory that the Memcached uses for SASL configuration:

    sudo mkdir -p /etc/sasl2

  3. Now create a memcached.conf SASL configuration file in that directory:

    sudo nano /etc/sasl2/memcached.conf

    Add the following content to the SASL configuration file, and save your changes:

    File: /etc/sasl2/memcached.conf
    1
2
3

    mech_list: plain
log_level: 5
sasldb_path: /etc/sasl2/memcached-sasldb2

Add Authorized Users

  1. Create a SASL database and user. Replace SASL_USERNAME with a username of your choice:

    sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 SASL_USERNAME

    Enter a password of your choosing, and verify that password:

    Password:
Again (for verification):

  2. Give Memcached ownership of the database:

    sudo chown memcache:memcache /etc/sasl2/memcached-sasldb2

Enable SASL

  1. With a text editor, open the /etc/memcached.conf file:

    sudo nano /etc/memcached.conf

    Enable SASL by adding the -S parameter to /etc/memcached.conf, and save your changes:

    File: /etc/memcached.conf
    31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

    ...
# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1
-l IP_ADDRESS

# Disable UDP
-U 0

# Enable SASL authenication
-S

# Limit the number of simultaneous incoming connections. The daemon default is 10>
# -c 1024
...

  2. Restart Memcached to apply the changes:

    sudo systemctl restart memcached

  3. Check the Memcached status locally once again. Replace SASL_USERNAME and SASL_PASSWORD with your chosen username and password:

    sudo memcstat --servers="127.0.0.1" --username="SASL_USERNAME" --password="SASL_PASSWORD"

    The output should look similar to this:

    Server: 127.0.0.1 (11211)
     pid: 2956
     uptime: 198
     time: 1717690598
     version: 1.6.9
...

  4. Repeat the process from the remote machine, using your Compute Instance’s external IP address instead of 127.0.0.1:

    sudo memcstat --servers="IP_ADDRESS" --username="SASL_USERNAME" --password="SASL_PASSWORD"

    The output should be the same as above:

    Server: 172.233.162.226 (11211)
     pid: 2956
     uptime: 271
     time: 1717690671
     version: 1.6.9
...

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This page was originally published on

Your Feedback Is Important

Let us know if this guide was helpful to you.

Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.
The Disqus commenting system for Linode Docs requires the acceptance of Functional Cookies, which allow us to analyze site usage so we can measure and improve performance. To view and create comments for this article, please update your Cookie Preferences on this website and refresh this web page. Please note: You must have JavaScript enabled in your browser.