[CVE-2018-1000115] memcached: restrict to TCP & localhost
https://access.redhat.com/security/cve/cve-2018-1000115
Restrict Memcached to only work on TCP and localhost.
The restriction is made at the application and firewall levels.
It will prevent DDoS amplification attacks using memcached.
Change-Id: I8072cc842291d133fde9fdfe9e8ad432623a8ef2
Related-Bug: #1754607
(cherry picked from commit 74fc85c507
)
This commit is contained in:
parent
e46cd2a171
commit
8fff6e6942
|
@ -36,6 +36,8 @@ ssh::server::storeconfigs_enabled: false
|
||||||
memcached::max_memory: '50%'
|
memcached::max_memory: '50%'
|
||||||
memcached::verbosity: 'v'
|
memcached::verbosity: 'v'
|
||||||
memcached::disable_cachedump: true
|
memcached::disable_cachedump: true
|
||||||
|
memcached::listen_ip: '127.0.0.1'
|
||||||
|
memcached::udp_port: 0
|
||||||
|
|
||||||
# Apache
|
# Apache
|
||||||
apache::server_signature: 'Off'
|
apache::server_signature: 'Off'
|
||||||
|
@ -967,6 +969,8 @@ tripleo::firewall::firewall_rules:
|
||||||
dport: 3260
|
dport: 3260
|
||||||
'121 memcached':
|
'121 memcached':
|
||||||
dport: 11211
|
dport: 11211
|
||||||
|
proto: tcp
|
||||||
|
source: '127.0.0.1'
|
||||||
'122 swift proxy':
|
'122 swift proxy':
|
||||||
dport:
|
dport:
|
||||||
- 8080
|
- 8080
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Restrict memcached service to TCP and localhost network (CVE-2018-1000115).
|
Loading…
Reference in New Issue