How to Configure Memcached to Listen on Specific Network Interfaces (eth1 and lo) While Blocking Public Access


3 views

When configuring Memcached on multi-homed servers, the default behavior of binding to all available interfaces (0.0.0.0) poses security risks. Many developers need to restrict Memcached to internal networks while maintaining local access, particularly in cloud environments with public/private network segmentation.

The -l parameter in Memcached only accepts a single IP address, which creates challenges for complex network configurations:

# This only works for one interface
memcached -l 192.168.1.100 -p 11211

Here are three effective approaches to achieve selective interface binding:

1. Multiple Memcached Instances

Run separate instances for each required interface:

# For private network
memcached -l 192.168.1.100 -p 11211

# For localhost
memcached -l 127.0.0.1 -p 11212

2. Network Namespace Isolation

Create a dedicated network namespace for Memcached:

# Create namespace
ip netns add memcache-ns

# Move eth1 to namespace
ip link set eth1 netns memcache-ns

# Launch Memcached in namespace
ip netns exec memcache-ns memcached -l $(ip netns exec memcache-ns hostname -I)

3. Systemd Socket Activation

For systemd-based systems, create socket units for precise control:

# /etc/systemd/system/memcached.socket
[Socket]
ListenStream=192.168.1.100:11211
ListenStream=127.0.0.1:11211
BindToDevice=eth1

Beyond interface binding, implement these security measures:

  • Enable SASL authentication: memcached -S -l 192.168.1.100
  • Implement connection rate limiting with iptables
  • Configure proper firewall rules for the private network

Here's a complete configuration for a production server with both private and local access:

# Main configuration file (/etc/memcached.conf)
-l 192.168.1.100
-p 11211
-U 0  # Disable UDP
-s /var/run/memcached/memcached.sock
-a 0660
-t 4  # Thread count
-m 2048  # Memory limit in MB

Combine this with a systemd service unit that creates the socket file with proper permissions before starting the service.

When deploying Memcached on a multi-homed Debian server, administrators often need to restrict which network interfaces the service listens on. The default behavior is for Memcached to bind to all available interfaces (INADDR_ANY), which may expose the cache to unwanted public network access.

The standard Memcached -l parameter has a significant limitation:

memcached -l 192.168.1.100  # Only binds to one IP address

This becomes problematic when needing to serve both private network (eth1) and localhost (lo) while excluding public interface (eth0).

One effective approach is to run multiple Memcached instances with different binding configurations:

# For private network access
memcached -l 192.168.1.100 -p 11211 -d -u memcache

# For localhost access
memcached -l 127.0.0.1 -p 11212 -d -u memcache

This method provides complete isolation while allowing both access patterns.

For production Debian systems, create separate systemd unit files:

/etc/systemd/system/memcached-private.service:
[Unit]
Description=Memcached Private Interface
After=network.target

[Service]
User=memcache
ExecStart=/usr/bin/memcached -l 192.168.1.100 -p 11211

[Install]
WantedBy=multi-user.target

For simpler deployments, /etc/hosts.allow can restrict access:

memcached : 192.168.1. 127.0.0.1
memcached : ALL : DENY

Always verify your configuration with:

netstat -tulnp | grep memcached
ss -tulnp | grep memcached
telnet 192.168.1.100 11211  # Test private interface
telnet 127.0.0.1 11211      # Test localhost

When running multiple instances, monitor resource usage:

watch -n 1 "echo -e 'stats\nquit' | nc 127.0.0.1 11211 | grep bytes"