Hacker Newsnew | comments | show | ask | jobs | submit login

I've come across unprotected Memcached deployments in a couple of pen-tests. On one engagement in particular someone poking Memcached would be able to (temporarily) increase their account balance and even access CC numbers from recent transactions. :(

As far as I see it, this is one of the unintentional side effects of "hosting in the cloud". If you had co-located servers you'd whack up a firewall and only allow your internal IPs to access non-HTTP ports. Alas everyone now just spins up an S3 image and palms it off to Amazon.




With EC2, you have to opt-in any ports open to the public.

-----


There you go, I stand corrected.

Are you able to make requests between instances on non-public ports? As someone else pointed out Memcached infrastructure typically won't sit on your local webserver.

-----


Yes, it's pretty easy to set this up with security groups, you can restrict ports to only open to machines within another security group.

So lets say you've got memcached, mysql and a bunch of webservers.

On the memcached security group you open 11211 to the webservers group

On the db security group you open 3306 to webservers

On the webserver group you open 80 and 443 to everyone.

-----




Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: