How To Install and Secure Memcached 1.6 on Ubuntu 23.04 / Debian

By | October 12, 2023

Memcached is a buzzword whenever it comes to the cache mechanism for modern-day web applications. It is a memory object caching system specifically designed to enhance the speed of web applications by reducing load on the database server.

In simpler terms, it takes the memory from that part of the system which is not in use or unnecessary and assigns it to the part which requires memory. By doing so, the web server may not majorly deal with the cache. It optimizes backend database performance by reducing the number of requests coming in directly to the database.

In this article, we'll see how to securely install and configure memcached on an Ubuntu server, and we'll go through proper authentication to secure Memcached using Simple Authentication and Security Layer (SASL). In practice, we usually bind Memcached to a private network to ensure the access is limited to trusted authenticated users only.

Step 1: Installing Memcached

If you do not have Memcached installed on your Ubuntu server, you can simply install it from the official Ubuntu repositories.

Firstly, make sure that your local package is updated using the following command:

$ sudo apt update

Next, proceed towards package installation, for which you need to execute the following command:

$ sudo apt install memcached

In addition to memcached, you can also install libmemcached-tools. The package contains several tools to examine, test and manage the Memcached server. To install libmemcached-tool, you need to execute the following command:

$ sudo apt install libmemcached-tools

Memcached and its tools to check connectivity are now successfully installed as a service on the server.

To check if the service is up and running, you execute the following command:

$ sudo systemctl status memcached

By default, it should be running once it's installed. In case the service is inactive, you can always start the service by executing the following command:

$ sudo systemctl start memcached

Now, let's check the Memcached version by running the following command:

$ memcached –version 
memcached 1.6.14

Alternate method

You can simply download the zipped package from the official website using the wget command.

$ wget -c

Now, unzip the zipped file to access the contents using the following command:

$ tar -zxvf memcached-1.6.15.tar.gz

Again, list down the contents inside and navigate to the memcached-1.6.15 directory.

$ ls && cd  memcached-1.6.15/

Now install the libevent-dev package because it is the dependency of memcached.

$ sudo apt install libevent-dev -y

Finally, configure and compile all the files using the make command and then install all the compiled files.

$ ./configure && make && make test && sudo make install

You can again do a version check by executing the following command:

$ memcached –version 
memcached 1.6.15

Now, you can proceed towards network configurations.

Step 2 - Memcached Network Configurations

In this section, we'll be talking about some additional network configurations which may or may not be performed depending on the use case. If there's a requirement for Memcached to use UDP sockets, Unix Domain Sockets, or add support for IPv6 connections, then we'll go through the steps mentioned below.

Initially, make sure that the Memcached server is listening on the local IPc4 loopback interface The current version of Memcached that comes with Ubuntu and Debian has its -l configuration parameter set to the local interface, meaning it can only accept connections from the server where Memcached is active or running.

We use 'ss' command to verify that Memcached is currently bound to the local IPv4 interface and listens to TCP connections strictly.

$ sudo ss -plunt

The various flags will alter ss output in the following ways:

  • -p adds the name of the process that is using a socket
  • -l limits the output to listening sockets only, as opposed to including connected sockets also to other systems
  • -u includes UDP based sockets in the output
  • -n displays numeric values in the output instead of human-readable names and values
  • -t includes TCP based sockets in the output

The output should be similar to the following:

Netid      State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port      Process                                         
. . .
tcp        LISTEN      0           1024              *          users:(("memcached",pid=8889,fd=26))
. . .

The output confirms that Memcached is bound to the IPv4 loopback address using the TCP protocol only.

Now that you've set it up for all IPv4 connections, you can edit the /etc/memcached.conf file to add support for UDP, Unix Domain Sockets or IPv6 connections.

IPv6 configuration

You can enable IPv6 connections simply by editing the /etc/memcached.conf file. First, you have to open the file with a preferred editor.

$ sudo nano /etc/memcached.conf

Now, find the line that looks like

. . .

Now, add another line just below it with the IPv6 loopback address (::1)

-l ::1

Finally, save the file, close the editor and restart memcached service using the systemctl command.

$ sudo systemctl restart memcached

Verify that memcached is also listening to the IPv6 connections by executing the 'ss' command as mentioned above.

UDP configuration

As mentioned earlier, Memcached can also be used with UDP sockets. To enable UDP support, you need to perform the exact same steps you did for setting up IPv6 configuration.

Open the file /etc/memcached.conf with a preferred editor, go to the bottom and add the following line:

. . .
-U 11211

Again, you'll have to save the file, close the editor and restart the service.

$ sudo systemctl restart memchaced

To verify if the connections are properly set for UDP, you execute the previously mentioned 'ss' command.

$ sudo ss -plunt

It will list down all the connections set for the memcached service.

Unix Domain Sockets configuration

To enable support for Unix Domain Sockets, you'll have to make changes in the /etc/memcached.conf file. Before proceeding, ensure that the TCP and the UDP connections are disabled so that the application cannot be connected via these protocols.

Then, edit the /etc/memcached.conf file by opening it with a preferred editor.

Right at the bottom of the file, add the following lines:

. . .
-s /var/run/memcached/memcached.sock
-a 660

Now, restart the memcached service by executing the following command:

$ sudo systemctl restart memcached

Finally, verify if Memcached is listening for Unix Domain Sockets by implementing the 'ss' command.

$ sudo ss -lnx | grep memcached

Sample Output

u_str LISTEN 0      1024             /var/run/memcached/memcached.sock 20234658

Step 3 - Add Authorized Users

You can use Simple Authentication and Security Layer (SASL), a framework that decouples authentication procedures from application protocols to authenticate valid users to the Memcached service.

First, add SASL to the Memcached server and then add a user with authentication credentials. Then, enable SASL on Memcached's configuration file and verify if everything is put in place.

Start by installing the sas12-bin package, which has all the administrative programs for the SASL user database. It allows us to create an authenticated user or a group of users.

$ sudo apt install sasl2-bin

Now, create the directory and file that Memcached will check for its SASL configuration settings by executing the following command:

$ sudo mkdir -p /etc/sasl2

You can create the SASL configuration file using nano or any preferred editor.

$ sudo nano /etc/sasl2/memcached.conf

Next, add the following lines:

log_level: 5
mech_list: plain
sasldb_path: /etc/sasl2/memcached-sasldb2

In addition to specifying the logging level, mech_list is set to plain, which tells Memcached that it should use its own password file and verify a plaintext password. The last line that reads sasldb_path specifies the path to the user database file that you will create next.

To create a SASL database with user credentials, you'll use the saslpasswd2 command with the '-c' flag to create a new user entry in the SASL database. Call your user 'test'. The '-f' flag specifies the path to the database, which will be the path that is set in /etc/sasl2/memcached.conf.

$ sudo saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 test

Finally, give the memcache user and group ownership over the SASL database with the following command to have sufficient privileges:

$ sudo chown memcache:memcache /etc/sasl2/memcached-sasldb2

SASL Support configuration

First, check the connectivity of the Memcached server with the memcstat command. It will help you figure out that Memcached is up and running and correctly configured before SASL and user authentications are enabled.

Execute the following command:

$ memcstat --servers=""

If the connection is successful, you should see similar output:

Server: (11211)
     pid: 2299875
     uptime: 2020
     time: 1632404590
     version: 1.5.22
     . . .

Now, you can move on to enabling SASL. To do so, you'll have to add the '-S' parameter to /etc/memcached.conf. Open the file with a preferred editor.

$ sudo nano /etc/memcached.conf

Right at the bottom of the file, add the following line:

. . .

Again, on the same file, find and uncomment the '-vv' option, which will provide verbose output to /var/log/memcached.

. . .

Finally, save the file and close it. Again, restart the memcached service using the systemctl command:

$ sudo systemctl restart memcached

You can check the journalctl logs for Memcached to be sure that SASL support is enabled. To do that, execute the following command:

$ sudo journalctl -u memcached |grep SASL

Upon executing the above command, you should get an output similar to the following:

Sep 11 17:00:55 memcached systemd-memcached-wrapper[2303930]: Initialized SASL.

Now, check the connectivity to Memcached again.

With SASL support in place and initialized, the following memcstat command should fail without valid authentication credentials.

$ memcstat --servers=""

Notice that it will not produce any output as the user credentials are not provided.

Try again by running the following command:

$ memcstat --servers="" --username=test --password=your_password

Now, it yields an output that looks like the following:

Sample output

Server: (11211)
     pid: 3831
     uptime: 9
     time: 1520028517
     version: 1.4.25
     . . .

Hence, you have verified that the Memcached service is now configured and running with SASL support and user authentication.

Step 4 - Private Network Access

Originally, Memcached listens on the local loopback ( interface only, which safeguards the Memcached interface from external parties. However, there are few scenarios where you might need to grant access from particular servers.

In this case, you can configure Memcached's network settings to bind it to a private network.

Firewall Setup

It is a good practice to set up firewall rules to limit the computers that can connect to the Memcached server. You must have a private IP assigned to the system beforehand. Once that is done, you will have to add an explicit firewall rule to allow the machine to access the Memcached server.

If you're using UFW firewall, you can execute the following command:

$ sudo ufw allow from <client_system_private_IP>/32 to any port 11211

Note: If more than one system needs access to the Memcached server, you must add all of them individually to the ufw rules.

Binding Memcached to the Private Network Interface

Firstly, find the private network interface for the Memcached server using the following command:

$ ip -brief address show

Sample output

lo               UNKNOWN ::1/128
eth0             UP    2001:DB8::1/64 fe80::7ced:9ff:fe52:4695/64
eth1             UP    fe80::2cec:92ff:fe21:8bc4/64

The IPv4 addresses on the eth0 line are the public IP addresses of the server.

On the eth1 line, is the private IPv4 address and fe80::2cec:92ff:fe21:8bc4 is the private IPv6 address.

Once you figure out the system's private IP address, open and edit the /etc/memcached.conf file using a preferred editor. Run the below command to do so.

$ sudo nano /etc/memcached.conf

Now, find the line that looks as follows:

. . .
. . .

Change 127.0..0.1 to the Memcached server's IP address.

. . .
-l memcached_servers_private_IP
. . .

Save and close the config file and restart the memcached service as you've done in the previous examples.

$ sudo systemctl restart memcached

To verify if everything is set correctly, execute the below command:

$ sudo ss -plunt

Sample output

Netid      State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port      Process
. . .
tcp       LISTEN      0           1024             *          users:(("memcached",pid=8991,fd=27))
. . .

You'll notice that the private IP of the client system now pops up in the 'Local address: Port' section of the output. You can test it from the client's system as well to see if the connection has been set properly.


Memcached is an open source application that majorly operates on php-based dynamic web applications by reducing the load or the traffic coming in directly to the database server for which there's almost zero latency between clicking and retrieving any data.

In this article, we've explored two ways of securely installing Memcached on Ubuntu - by installing the default Ubuntu repository and by downloading the package directly from the website.

Additionally, here, we have explored how to configure Memcached with IPv4, IPv6, TCP, UDP and Unix Domain Sockets. We have also learnt to secure the Memcached server by enabling SASL authentication.

Finally, for security purpose, we've figured out how to bind the Memcached to a private network and configure firewall rules to limit access to Memcached.

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *