DDOS Attack open MEMCACHED in Zimbra

Open MEMCACHED in Zimbra  SECURITY PROBLEM

• Quote

I came across this today, and although I agree that firewalling is prudent, I also disagree that ports should be bound to all IPs by default on the assumption that a firewall will a) be in place and b) be configured to block this traffic. In my view, binding to all IPs should only occur when there is a specific need for it (i.e. multi-server).

Here's what might appear to be a better way to do this, for anyone else searching as I was today:

Code: Select all

su - zimbra

Make the changes:

Code: Select all

/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1

Verify:

Code: Select all

/opt/zimbra/bin/zmprov -l gs `zmhostname` zimbraMemcachedBindAddress
/opt/zimbra/bin/zmprov -l gs `zmhostname` zimbraMemcachedClientServerList

Restart Zimbra:

Code: Select all

zmcontrol restart

You can check that memcached is only running on 127.0.0.1:

$ lsof -i tcp:11211
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
memcached 12630 zimbra 26u IPv4 3443249076 0t0 TCP localhost:11211 (LISTEN)

Now, if you want to verify that objects are being stored, then as root:

Code: Select all

wget -O /usr/bin/memcached-tool https://raw.githubusercontent.com/memcached/memcached/master/scripts/memcached-tool
chmod +x /usr/bin/memcached-tool

Then run (once Zimbra has been running a short while):

Code: Select all

memcached-tool 127.0.0.1:11211 stats | grep total_items

You should have a non-zero value for total_items.

Sumber : https://forums.zimbra.org/viewtopic.php?f=23&t=56493&start=10