memcached installations are currently being actively used as DoS amplifiers. Can we change the default to listen on loopback only?
Index: Makefile =================================================================== RCS file: /cvs/ports/misc/memcached/Makefile,v retrieving revision 1.41 diff -u -p -r1.41 Makefile --- Makefile 11 Jan 2018 19:27:04 -0000 1.41 +++ Makefile 26 Feb 2018 17:14:47 -0000 @@ -4,7 +4,7 @@ COMMENT= distributed memory object cachi DISTNAME= memcached-1.5.3 CATEGORIES= misc -REVISION= 0 +REVISION= 1 HOMEPAGE= https://www.memcached.org/ Index: pkg/README =================================================================== RCS file: /cvs/ports/misc/memcached/pkg/README,v retrieving revision 1.2 diff -u -p -r1.2 README --- pkg/README 17 Jul 2017 08:35:08 -0000 1.2 +++ pkg/README 26 Feb 2018 17:14:47 -0000 @@ -4,13 +4,20 @@ $OpenBSD: README,v 1.2 2017/07/17 08:35: | Running ${FULLPKGNAME} on OpenBSD +----------------------------------------------------------------------- -Memcached relies on SASL as authentication mechanisms, if you could not -use it, it should be firewalled accordingly. You may wish -to add a rule such as the following to /etc/pf.conf: +From the upstream documentation, "Memcached does not spend much, if any, +effort in ensuring its defensibility from random internet connections. +So you must not expose memcached directly to the internet, or otherwise +any untrusted users. Using SASL authentication here helps, but should +not be totally trusted." - block on $ext_if proto tcp to ($ext_if) port 11211 +The default setting in this package is now to listen on localhost only. + +To change to listening on all IP addresses (upstream's default), assuming +you have already firewalled appropriately: + +# rcctl set memcached flags '-u _memcached' An alternative is to listen on a unix socket in /var/run/memcached/sock, granting write permissions to users in group _memcached. -#rcctl set memcached flags '-u _memcached -s /var/run/memcached/sock -a 0660' +# rcctl set memcached flags '-u _memcached -s /var/run/memcached/sock -a 0660' Index: pkg/memcached.rc =================================================================== RCS file: /cvs/ports/misc/memcached/pkg/memcached.rc,v retrieving revision 1.4 diff -u -p -r1.4 memcached.rc --- pkg/memcached.rc 11 Jan 2018 19:27:04 -0000 1.4 +++ pkg/memcached.rc 26 Feb 2018 17:14:47 -0000 @@ -3,7 +3,7 @@ # $OpenBSD: memcached.rc,v 1.4 2018/01/11 19:27:04 rpe Exp $ daemon="${TRUEPREFIX}/bin/memcached -d" -daemon_flags="-u _memcached" +daemon_flags="-u _memcached -l 127.0.0.1" . /etc/rc.d/rc.subr
