您当前的位置:首页 > 学海无涯 > 信息安全网站首页信息安全
Memcached安装与安全配置
发布时间:2015-11-16作者:♂逸風★淩軒
一、安装
#!/bin/bash
Install_Memcached()
{
MemcacheVer="2"
echo "Which memcached php extension do you choose:"
echo "Install php-memcache,(Discuz x) please enter: 1"
echo "Install php-memcached, please enter: 2"
read -p "Enter 1 or 2 (Default 2): " MemcacheVer
if [ "${MemcacheVer}" = "1" ]; then
echo "You choose php-memcache"
PHP_ZTS="memcache.so"
elif [ "${MemcacheVer}" = "2" ]; then
echo "You choose php-memcached"
PHP_ZTS="memcached.so"
else
MemcacheVer="1"
echo "You choose php-memcache"
PHP_ZTS="memcache.so"
fi
sed -i '/memcache.so/d' /usr/local/php/etc/php.ini
sed -i '/memcached.so/d' /usr/local/php/etc/php.ini
zend_ext=${zend_ext_dir}${PHP_ZTS}
if [ -s "${zend_ext}" ]; then
rm -f "${zend_ext}"
fi
sed -i "/the dl()/i\extension = \"${PHP_ZTS}\"" /usr/local/php/etc/php.ini
wget http://www.memcached.org/files/memcached-1.4.24.tar.gz
tar zxf memcached-1.4.24
cd memcached-1.4.24
./configure --prefix=/usr/local/memcached
make &&make install
ln -sf /usr/local/memcached/bin/memcached /usr/bin/memcached
cp init.d.memcached /etc/init.d/memcached
chmod +x /etc/init.d/memcached
useradd -s /sbin/nologin nobody
if [ ! -d /var/lock/subsys ]; then
mkdir -p /var/lock/subsys
fi
/etc/init.d/memcached start
chkdonfig memcached on
if [ "${MemcacheVer}" = "1" ]; then
Install_PHPMemcache
elif [ "${MemcacheVer}" = "2" ]; then
Install_PHPMemcached
fi
/etc/init.d/php-fpm restart
/etc/init.d/memcached restart
}
Install_PHPMemcache()
{
wget http://pecl.php.net/get/memcache-3.0.8.tgz
tar zxf memcache-3.0.8.tgz
cd memcache-3.0.8
/usr/local/php/bin/phpize
./configure --with-php-config=/usr/local/php/bin/php-config
make && make install
}
Install_PHPMemcached()
{
yum install cyrus-sasl-devel -y
wget https://launchpadlibrarian.net/165454254/libmemcached-1.0.18.tar.gz
tar zxf libmemcached-1.0.18.tar.gz
cd libmemcached-1.0.18
./configure --prefix=/usr/local/libmemcached --with-memcached
make && make install
cd ../
wget http://pecl.php.net/get/memcached-2.2.0.tgz
tar zxf memcached-2.2.0.tgz
cd memcached-2.2.0
/usr/local/php/bin/phpize
./configure --with-php-config=/usr/local/php/bin/php-config --enable-memcached --with-libmemcached-dir=/usr/local/libmemcached
make && make install
}
Install_Memcached服务启动文件:
二、错误配置及利用
Memcached服务器端都是直接通过客户端连接后直接操作,没有任何的验证过程,且Mecached默认以root权限运行。因而如果Mecached服务器直接暴露在互联网上的话是比较危险,轻则造成敏感数据泄露,重则可导致服务器被入侵。
stats #显示memcached的运行状态
version #显示版本号
stats items #列出item
add key 0 60 5 #增加一个item名为key,存活时间60s,大小为5字节
12345 #key的值
stats cachedump <item: id> <返回结果数量,0代表返回全部> #查看item信息
get key #取得key的值
delete key #删除key
三、修复方案
限定访问的IP
使用iptables限制访问IP,只允许IP为X.X.X.X的主机访问memcached:
iptables -F
iptables -P INPUT DROP
iptables -A INPUT -p tcp -s X.X.X.X --dport 11211 -j ACCEPT
iptables -A INPUT -p udp -s X.X.X.X --dport 11211 -j ACCEPT
四、漏洞扫描与发现
半手动扫描
memcache默认是11211端口,可使用nmap扫描服务器的11211端口:
nmap -n --open -p 11211 X.X.X.X/24
telnet X.X.X.X 11211
stats items
关键字词:配置,服务搭建,安全配置,memcached
上一篇:Redis安装与安全配置
下一篇:NMap使用详解