Warn about potential security vulnerability - memcached exposed to outside world

A number of prominent guides for configuring this module suggest replacing the /etc/init.d/memcached script with the following, which was probably a modification of CentOS memcached packages script:

#! /bin/sh
### BEGIN INIT INFO
# Provides:		memcached
# Required-Start:	$syslog
# Required-Stop:	$syslog
# Should-Start:		$local_fs
# Should-Stop:		$local_fs
# Default-Start:	2 3 4 5
# Default-Stop:		0 1 6
# Short-Description:	memcached - Memory caching daemon
# Description:		memcached - Memory caching daemon
### END INIT INFO

USER=nobody
MAXCONN=1024
OPTIONS=""
DAEMON=/usr/bin/memcached

RETVAL=0
prog="memcached"

start_instance() {
        echo -n $"Starting $prog ($1): "
        start-stop-daemon --start --quiet --pidfile /var/run/memcached/memcached.$1.pid --exec $DAEMON -- -d -p $2 -u $USER  -m $3 -c $MAXCONN -P /var/run/memcached/memcached.$1.pid $OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/memcached.$1
}

stop_instance() {
        echo -n $"Stopping $prog ($1): "
        start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/memcached/memcached.$1.pid --exec $DAEMON
        RETVAL=$?
        echo
        if [ $RETVAL -eq 0 ] ; then
            rm -f /var/lock/memcached.$1
            rm -f /var/run/memcached/memcached.$1.pid
        fi
}
start () {
        # insure that /var/run/memcached has proper permissions
        mkdir -p /var/run/memcached
        if [ "`stat -c %U /var/run/memcached`" != "$USER" ]; then
                chown $USER /var/run/memcached
        fi

        start_instance default 	11211 32
        start_instance filter  	11212 16
        start_instance content 	11213 32
        start_instance views   	11214 8
        start_instance menu   	11215 64
}

stop () {
        stop_instance default
        stop_instance filter
        stop_instance content
        stop_instance views
        stop_instance menu
}

restart () {
        stop
        start
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status memcached
        ;;
  restart|reload|force-reload)
        restart
        ;;
  *)
        echo $"Usage: $0 {start|stop|status|restart|reload|force-reload}"
        exit 1
esac

exit $?

For examples of where this init script is being advocated, see:

* https://drupal.org/node/1181968#linux-memcached-daemon-php-pecl-drupal-m...
* https://gist.github.com/sirkitree/492804
* http://community.aegirproject.org/node/388
* https://github.com/Lullabot/lullabot-drupal-performance-scalabilty-files...
* https://groups.drupal.org/node/306033
* https://pressflow.atlassian.net/wiki/display/PF/Replacement+init+script+...

This script exposes a major security hole -- it makes your memcache daemon's world accessible.
Keep in mind that the default Debian init script is secure by default. See Debian package source code

There's a very high probability that this code init script causes memcache to be world accessible, which is bad!!!
(I believe this is just a hacked version of the CentOs memcache package init script)

To test it on your own server, just do this:

echo "stats" | nc yourserver.com 11211

If this command works from outside your server, you're at high risk of being hacked!!

Related discussions:

* http://www.slideshare.net/sensepost/cache-on-delivery
* http://blog.codesherpas.com/on_the_path/2010/08/securing-memcache-in-2-m...

My fix (on Ubuntu 12.04 with patched init.d/memcached script as per above):

#from an outside machine, confirm vulnerability:
echo "stats" | nc yourdomain.com 11211   # MISC DATA... BAD!

ssh yourdomain.com

vim /etc/init.d/memcached  # Replace `OPTIONS=""` with `OPTIONS="-l 127.0.0.1"`
sudo service memcached restart

#confirm memcache still accessible from localhost
echo "stats" | nc localhost 11211   # MISC DATA... BAD!
exit # go back to outside machine
# confirm that lockdown is in place
echo "stats" | nc yourdomain.com 11211   # NOTHING

Finally confirm that Drupal/memcache is still working by visiting http://yourdomain.com/admin/reports/memcache

There's already a brief mention of this in the Memcache installation handbook page, but it's worded quite badly. At the least it could link to this issue.

Also, in case you're using the memcached chef cookbook, be aware that by default it installs memcached to be world accessible.