Blocking Memcached Attack: Difference between revisions
No edit summary |
|||
(One intermediate revision by one other user not shown) | |||
Line 3: | Line 3: | ||
Detailed in [https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ this blog post], Zimbra memcached may face "'''memcrashd'''" attack on port 11211. By-default memcached listens on server IP address which is accessible in the network and on Internet if there is no firewall. | Detailed in [https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ this blog post], Zimbra memcached may face "'''memcrashd'''" attack on port 11211. By-default memcached listens on server IP address which is accessible in the network and on Internet if there is no firewall. | ||
If your Zimbra memcache servers are behind firewall, we recommend blocking ingress and egress traffic on port | If your Zimbra memcache servers are behind firewall, we recommend blocking ingress and egress traffic on port 11211 from the Internet to zimbra memcache servers. Once done, you do not need to follow further steps on this wiki. | ||
If your zimbra memcache server is '''NOT''' behind a firewall and accessible over Internet, then proceed. | If your zimbra memcache server is '''NOT''' behind a firewall and accessible over Internet, then proceed. | ||
Line 18: | Line 18: | ||
== For Zimbra Multi Server Installation == | == For Zimbra Multi Server Installation == | ||
On zimbra multi server setup, | On zimbra multi server setup, the best option is to block traffic on port 11211 from the Internet and only allow from the zimbra proxy servers. First, you need to enable/start iptables or ufw on the server. Make sure the other Zimbra ports are not blocked in the firewall. | ||
Run below commands in the given sequence on ALL memcached servers. | Run below commands in the given sequence on ALL memcached servers. | ||
Line 45: | Line 45: | ||
Accept connections from other proxy servers. Run below two commands for each proxy server IP in your zimbra setup. | Accept connections from other proxy servers. Run below two commands for each proxy server IP in your zimbra setup. | ||
ufw allow from <Proxy1 IP> to any port 11211 | ufw allow from <Proxy1 IP> to any port 11211 | ||
== Testing == | == Testing == |
Latest revision as of 14:52, 15 December 2021
Blocking Memcached Exploit
Detailed in this blog post, Zimbra memcached may face "memcrashd" attack on port 11211. By-default memcached listens on server IP address which is accessible in the network and on Internet if there is no firewall.
If your Zimbra memcache servers are behind firewall, we recommend blocking ingress and egress traffic on port 11211 from the Internet to zimbra memcache servers. Once done, you do not need to follow further steps on this wiki.
If your zimbra memcache server is NOT behind a firewall and accessible over Internet, then proceed.
For Zimbra Single Server Installation
Configure memcached to listen on 127.0.0.1 only to avoid this attack. Use below commands.
su - zimbra /opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1 /opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1
Restart memcached:
zmmemcachedctl restart
For Zimbra Multi Server Installation
On zimbra multi server setup, the best option is to block traffic on port 11211 from the Internet and only allow from the zimbra proxy servers. First, you need to enable/start iptables or ufw on the server. Make sure the other Zimbra ports are not blocked in the firewall.
Run below commands in the given sequence on ALL memcached servers.
Iptables rules for Redhat based servers
Drop all connections to port 11211.
iptables -I INPUT -p udp --dport 11211 -j DROP iptables -I INPUT -p tcp --dport 11211 -j DROP
Accept connections from localhost.
iptables -I INPUT -p udp -s 127.0.0.1 --dport 11211 -j ACCEPT iptables -I INPUT -p tcp -s 127.0.0.1 --dport 11211 -j ACCEPT
Accept connections from other proxy servers. Run below two commands for each proxy server IP in your zimbra setup.
iptables -I INPUT -p udp -s <Proxy IP> --dport 11211 -j ACCEPT iptables -I INPUT -p tcp -s <Proxy IP> --dport 11211 -j ACCEPT
UFW rules for Ubuntu servers
Drop all connections to port 11211.
ufw deny 11211
Accept connections from localhost.
ufw allow from 127.0.0.1 to any port 11211
Accept connections from other proxy servers. Run below two commands for each proxy server IP in your zimbra setup.
ufw allow from <Proxy1 IP> to any port 11211
Testing
UDP - Below command should give an empty response when executed from any host except proxy servers allowed above. If you see non-empty response that contains PID etc details, then your server is vulnerable.
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u <IP of zimbra memcache server> 11211
[Above command may fail on redhat servers because nc does not recognize "-q" option. You can use "-w 1 " instead.]
TCP - With below command you should not be able to connect when executed from any host except proxy servers allowed above. If you are able to connect, your server is vulnerable.
telnet <IP of zimbra memcache server> 11211