Blocking Memcached Attack

Revision as of 09:14, 2 March 2018 by Irfan (talk | contribs) (UFW rules for Ubuntu based servers)

Blocking Memcached Exploit

Detailed in this blog post, Zimbra memcached may face "memcrashd" attack on port 11211. By-default memcached listens on server IP address which is accessible in the network and on Internet if there is no firewall.

If your Zimbra memcache servers are behind firewall, we recommend blocking ingress and egress traffic on port 1121 from the Internet to zimbra memcache servers. Once done, you do not need to follow further steps on this wiki.

If your zimbra memcache server is NOT behind a firewall and accessible over Internet, then proceed.

For Zimbra Single Server Installation

Configure memcached to listen on only to avoid this attack. Use below commands.

 su - zimbra
 /opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 
 /opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList

Restart memcached:

 zmmemcachedctl restart

For Zimbra Multi Server Installation

On zimbra multi server setup, workaround is to block traffic on port 11211 from Internet and allow only from zimbra proxy servers. First you need to enable/start iptables or ufw on the server. Make sure zimbra's other ports are not blocked in the firewall.

Run below commands in the given sequence on ALL memcached servers.

Iptables rules for Redhat based servers

Drop all connections to port 11211.

 iptables -I INPUT -p udp --dport 11211 -j DROP
 iptables -I INPUT -p tcp --dport 11211 -j DROP

Accept connections from localhost.

 iptables -I INPUT -p udp -s --dport 11211 -j ACCEPT
 iptables -I INPUT -p tcp -s --dport 11211 -j ACCEPT

Accept connections from any other proxy server in zimbra setup. Run below two commands for each proxy server IP in your zimbra setup.

 iptables -I INPUT -p udp -s <Proxy IP> --dport 11211 -j ACCEPT
 iptables -I INPUT -p tcp -s <Proxy IP> --dport 11211 -j ACCEPT

UFW rules for Ubuntu servers


UDP - Below command should give an empty response when executed from any host except proxy servers allowed above. If you see non-empty response that contains PID etc details, then your server is vulnerable.

 echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u <IP of zimbra memcache server> 11211

[Above command may fail on redhat servers because nc does not recognize "-q" option. You can use "-w 1 " instead.]

TCP - With below command you should not be able to connect when executed from any host except proxy servers allowed above. If you are able to connect, your server is vulnerable.

 telnet <IP of zimbra memcache server> 11211
Jump to: navigation, search