Blocking Memcached Attack: Difference between revisions

(Created page with "Detailed in [https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ this blog post], Zimbra memcached may face "memcrashd" attack on port 11211. B...")
 
No edit summary
Line 1: Line 1:
= Blocking Memcached Attack =
Detailed in [https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ this blog post], Zimbra memcached may face "memcrashd" attack on port 11211. By-default memcached listens on server IP address which is accessible in the network and on Internet if there is no firewall.  
Detailed in [https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ this blog post], Zimbra memcached may face "memcrashd" attack on port 11211. By-default memcached listens on server IP address which is accessible in the network and on Internet if there is no firewall.  


Line 5: Line 7:
If your zimbra memcache server is '''NOT''' behind a firewall and accessible over Internet, then proceed.
If your zimbra memcache server is '''NOT''' behind a firewall and accessible over Internet, then proceed.


= For Zimbra Single Server Installation =
== For Zimbra Single Server Installation ==
Configure memcached to listen on 127.0.0.1 only to avoid this attack. Use below commands.
Configure memcached to listen on 127.0.0.1 only to avoid this attack. Use below commands.


Line 15: Line 17:
   zmmemcachedctl restart
   zmmemcachedctl restart


= For Zimbra Multi Server Installation =
== For Zimbra Multi Server Installation ==
On zimbra multi server setup, workaround is to block UDP access on port 11211. First you need to enable/start iptables or ufw on the server. Make sure zimbra's other ports are not blocked in the firewall. Run below commands in the given sequence on ALL memcache servers.
On zimbra multi server setup, workaround is to block UDP access on port 11211. First you need to enable/start iptables or ufw on the server. Make sure zimbra's other ports are not blocked in the firewall. Run below commands in the given sequence on ALL memcache servers.


== Iptables rules for Redhat based servers ==
==== Iptables rules for Redhat based servers ====
   iptables -I INPUT -p udp -s 127.0.0.1 --dport 11211 -j ACCEPT
   iptables -I INPUT -p udp -s 127.0.0.1 --dport 11211 -j ACCEPT
   iptables -I INPUT -p udp --dport 11211 -j DROP
   iptables -I INPUT -p udp --dport 11211 -j DROP


== UFW rules for Ubuntu based servers ==
==== UFW rules for Ubuntu based servers ====
   ufw allow from 127.0.0.1 proto udp to any port 11211  
   ufw allow from 127.0.0.1 proto udp to any port 11211  
   ufw deny from any proto udp to any port 11211  
   ufw deny from any proto udp to any port 11211  


= Testing=  
== Testing ==


Below command should give an empty response when executed from any host except localhost.
Below command should give an empty response when executed from any host except localhost.

Revision as of 08:40, 1 March 2018

Blocking Memcached Attack

Detailed in this blog post, Zimbra memcached may face "memcrashd" attack on port 11211. By-default memcached listens on server IP address which is accessible in the network and on Internet if there is no firewall.

If your Zimbra memcache servers are behind firewall, we recommend blocking access on port 11211 from Internet to zimbra memcache servers. Once done, you do not need to follow further steps on this wiki.

If your zimbra memcache server is NOT behind a firewall and accessible over Internet, then proceed.

For Zimbra Single Server Installation

Configure memcached to listen on 127.0.0.1 only to avoid this attack. Use below commands.

 su - zimbra
 /opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1 
 /opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1

Restart memcached:

 zmmemcachedctl restart

For Zimbra Multi Server Installation

On zimbra multi server setup, workaround is to block UDP access on port 11211. First you need to enable/start iptables or ufw on the server. Make sure zimbra's other ports are not blocked in the firewall. Run below commands in the given sequence on ALL memcache servers.

Iptables rules for Redhat based servers

 iptables -I INPUT -p udp -s 127.0.0.1 --dport 11211 -j ACCEPT
 iptables -I INPUT -p udp --dport 11211 -j DROP

UFW rules for Ubuntu based servers

 ufw allow from 127.0.0.1 proto udp to any port 11211 
 ufw deny from any proto udp to any port 11211 

Testing

Below command should give an empty response when executed from any host except localhost.

 echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u <IP of zimbra memcache server> 11211

If you see non-empty response that contains PID etc details, then your server is vulnerable.

Above command may fail on redhat servers because nc does not have "-q" option. You can use "-w 1 " instead of it.

Jump to: navigation, search