Dump IT or Forget IT

Online IT Note Dump

An Evening With Kinsing Malware

Posted on by Jasim Alam

It’s all started with Redis. So let’s discuss about redis security first.

Redis is a very popular in-memory data structure has wide variety of use case including caching, database & message broker. Redis designed to be run on secure environment and doesn’t encrypt data for sake of performance. Thus become lucrative prey for intruders.

Bombarded with complains, from version 3.2 redis out of the box run in ‘protected mode’ means only listen to loopback interface (127.0.0.1 & ::1) and doesn’t listen on tcp socket (port 0). Thus only resident services of the host have access to redis.

However one of the key application of redis is in distributed systems where redis need to be accessible over network. That was the case for me. Was migring standalone service to highly available load balanced architecture where redis was part of the package. Modified the redis configuration to listen on tcp socket & public IP, skipped the host firewall for later. Perfect recipe !

Next day at QT noticed frontend application constantly complaining about redis. Went to investigate the redis log found some anomalies. someone from Eastern Europe established master slave replication. Loaded data on memory but failed to write on disk.

* Before turning into a slave, using my master parameters to synthesize a cached master: I may be able to synchronize with the new master with just a partial transfer.
* SLAVE OF "C&C IP":8890 enabled (user request from 'id=Numeric-ID addr="C&C IP":35800 fd=9 name= age=1 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=0 qbuf-free=32780 obl=0 oll=0 omem=0 events=r cmd=slaveof')
* Connecting to MASTER "C&C IP":8890
* MASTER <-> SLAVE sync started
* Non blocking connect for SYNC fired the event.
* Master replied to PING, replication can continue…
* Trying a partial resynchronization (request HASH ID:1).
* Full resync from master: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ:1
* Discarding previously cached master state.
* MASTER <-> SLAVE sync: receiving 55664 bytes from master
* MASTER <-> SLAVE sync: Flushing old data
* MASTER <-> SLAVE sync: Loading DB in memory
# Wrong signature trying to load DB from file
# Failed trying to load the MASTER synchronization DB from disk

And at second attempt was successful to write at disk

* Connecting to MASTER "C&C IP":8890
* MASTER <-> SLAVE sync started
* Module 'system' loaded from ./red2.so
* Non blocking connect for SYNC fired the event.
# Setting secondary replication ID to HASH-ID, valid up to offset: 1. New replication ID is HASH-ID
* MASTER MODE enabled (user request from 'id=Numeric-ID addr="C&C IP":35800 fd=9 name= age=9 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=0 qbuf-free=32780 obl=0 oll=0 omem=0 events=r cmd=slaveof')
* Module system unloaded
* 1 changes in 900 seconds. Saving…
* Background saving started by pid 31570
* DB saved on disk

Second anomaly was redis wants to access cron directory in the name of backup

# Failed opening the RDB file root (in server root dir /var/spool/cron) for saving: Read-only file system
# Failed opening the RDB file root (in server root dir /etc/cron.d) for saving: Read-only file system
# Failed opening the RDB file redis (in server root dir /var/spool/cron) for saving: Read-only file system
# Failed opening the RDB file redis (in server root dir /etc/cron.d) for saving: Read-only file system
# Failed opening the RDB file tomcat (in server root dir /var/spool/cron) for saving: Read-only file system
# Failed opening the RDB file tomcat (in server root dir /etc/cron.d) for saving: Read-only file system
# Failed opening the RDB file www-data (in server root dir /var/spool/cron) for saving: Read-only file system
# Failed opening the RDB file www-data (in server root dir /etc/cron.d) for saving: Read-only file system
# Failed opening the RDB file apache (in server root dir /var/spool/cron) for saving: Read-only file system
# Failed opening the RDB file apache (in server root dir /etc/cron.d) for saving: Read-only file system

This cycle continued with dictionary usernames. Having enough status report moved to enable firewall and blocked internet access to redis along with other services

sudo ufw allow from 172.16.0.0/28 to any port 6379/tcp

That’s blocking all incoming request to redis from Internet. Now coming to permission errors. First tried to flush redis db 

127.0.0.1:6379[1]> FLUSHALL
(error) MISCONF Redis is configured to save RDB snapshots, but it is currently not able to persist on disk. Commands that may modify the data set are disabled, because this instance is configured to report errors during writes if RDB snapshotting fails (stop-writes-on-bgsave-error option). Please check the Redis logs for details about the RDB error.
# Failed opening the RDB file nginx (in server root dir /var/spool/cron) for saving: Read-only file system
# Background saving error
* 1 changes in 900 seconds. Saving…
* Background saving started by pid 17564

Stopped with same error. Apparently redis db location was changed to /var/spool/cron in memory. 

root@bc:~# echo "CONFIG GET *" | redis-cli | grep -e "dir" -e "dbfilename" -A1
dbfilename
nginx
--
dir
/var/spool/cron

created a new directory /etc/redis/redis-db and gave ownership to redis. After that proceed on changing on directory configuration. 

127.0.0.1:6379[1]> CONFIG SET dir /etc/redis/redis-db
OK
127.0.0.1:6379[1]> BGSAVE
Background saving started

Had to kill the redis process and restart the service then both frontend & backend started behaving normally. Real life saver turned out to be the fact that redis was running by non privileged user without shell access. That’s why those permission log generated.

root@bc:~# ps -aux | grep redis
root 2482 0.0 0.0 13136 1028 pts/3 S+ 22:08 0:00 grep --color=auto redis
redis 31248 0.1 0.0 50152 3536 ? Ssl 12:18 0:54 /usr/bin/redis-server 127.0.0.1:6379
root@bc:~# cat /etc/passwd | grep redis
redis:x:113:116::/var/lib/redis:/usr/sbin/nologin
Pages: 1 2

DNS Root Zone KSK2017 Rollover | CentOS 7 | Bind

Posted on by Jasim Alam

 

Just like changing password, ICANN has decided to rollover DNS root zone KSK2010 to KSK2017.  Root zone Key Signing Key (KSK) is the top cryptographic key on DNSSEC mechanism.

 

Affected  Systems

You need to bother about it if

✔ You are running recursive/caching only DNS sever

✔ Your DNS server is doing DNSSEC validation

How to be sure your DNS server is validating DNSSEC ? Run below command  from your DNS server cmd

#dig @localhost dnssec-failed.org a +dnssec | grep HEADER
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28119

If status = SERVFAIL ; DNSSEC is enabled

If status = NOERROR ; DNSSEC is disabled

Okay. I need to bother. What’s now ?

 

Solution Steps

The easiest way to make your server prepare for KSK-2017 is by making the server compatible with “Automated Updates of DNS Security (DNSSEC) Trust Anchors” (RFC 5011) and let automated update rollout. Following  steps are the  Redhat family specific

1. Make sure that you are having latest bind packages installed or at least 9.9

# yum install bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.dhakacom.com
* epel: ftp.cuhk.edu.hk
* extras: mirror.dhakacom.com
* updates: mirror.dhakacom.com
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.   On option  /etc/named.conf  dnssec-validation auto;  is configured. You need to restart named service if you are making any change.

That’s it !

 

Validation

Your managed key have KSK2017 ( Key tag 20326).

# cat /etc/named.root.key 
managed-keys {
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        #
        # This key (19036) is to be phased out starting in 2017. It will
        # remain in the root zone for some time after its successor key
        # has been added. It will remain this file until it is removed from
        # the root zone.
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";

        # This key (20326) is to be published in the root zone in 2017.
        # Servers which were already using the old key should roll to the
        # new # one seamlessly.  Servers being set up for the first time
        # can use either of the keys in this file to verify the root keys
        # for the first time; thereafter the keys in the zone will be
        # trusted and maintained automatically.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
};
#  cat /var/named/dynamic/managed-keys.bind
$ORIGIN .
$TTL 0  ; 0 seconds
@                       IN SOA  . . (
                                244        ; serial
                                0          ; refresh (0 seconds)
                                0          ; retry (0 seconds)
                                0          ; expire (0 seconds)
                                0          ; minimum (0 seconds)
                                )
                        KEYDATA 20180824154419 20180118081629 19700101000000 257 3 8 (
                                AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                                bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                                /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                                JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                                oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                                LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                                Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                                LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
                                ) ; KSK; alg = RSASHA256; key id = 19036
                        KEYDATA 20180824154419 20180118081629 19700101000000 257 3 8 (
                                AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
                                iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
                                7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
                                LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
                                efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
                                pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
                                A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
                                9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
                                ) ; KSK; alg = RSASHA256; key id = 20326

 

Reference:

  • https://www.youtube.com/watch?v=d7H1AkC9PIw
  • https://kb.isc.org/article/AA-01529/169/KSK-2010-Rollover.html
  • https://www.icann.org/dns-resolvers-updating-latest-trust-anchor
  • https://www.rfc-editor.org/rfc/rfc8145.txt

IPv6 Reverse DNS Delegation Zone (BIND)

Posted on by Jasim Alam

/etc/named.conf options

options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; 2000:5a40:0:1::136; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 2000:5a40::/32; };
allow-query-cache { localhost; 2000:5a40::/32; };
recursion yes;

Zone file announcment

zone "0.4.a.5.0.0.0.2.ip6.arpa" IN {
type master;
file "reverse-2000:5A40";
allow-update { none; };
allow-query { any; };
};

Zone file

$TTL 1h ; Default TTL
@ IN SOA ns1.jalam.me. jasim.alam.jalam.me. (
2018062401 ; serial
1h ; slave refresh interval
15m ; slave retry interval
1w ; slave copy expire time
1h ; NXDOMAIN cache time
)
; domain name servers
@ IN NS ns1.jalam.me.

; IPv6 PTR entries
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.a.5.0.0.0.2.ip6.arpa. IN PTR host1.jalam.me.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.a.5.0.0.0.2.ip6.arpa. IN PTR host2.jalam.me.

 

Dont forget to restart bind service

# systemctl restart named

Verify

#named-checkconf /etc/named.conf 
# named-checkzone 0.4.a.5.0.0.0.2.ip6.arpa  /var/named/reverse-2000\:5A40 
zone 0.4.a.5.0.0.0.2.ip6.arpa/IN: loaded serial 2018062401 OK

https://network-tools.webwiz.net/reverse-dns.htm

Some useful tool:

  • http://www.zytrax.com/books/dns/ch3/#ipv6-tool-rev
  • http://rdns6.com/zone

 

Regenerating Link Local IPv6 Addresses in Mikrotik

Posted on by Jasim Alam

IPv6 link local address generate automatically if IPv6 package is enabled.  For enabling IPv6 you may follow this post

[admin@Mikrotik] > /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
# ADDRESS FROM-POOL INTERFACE 
0 DL fe80::e97:42ff:fef5:7a00/64 ether1 
1 DL fe80::e97:42ff:fef5:7a03/64 ether4 
2 DL fe80::e97:42ff:fef5:7a01/64 ether2 
3 DL fe80::e97:42ff:fef5:7a02/64 ether3 
4 DL fe80::dcac:40ff:feed:b345/64 loopback-1

Unlike IPv4, IPv6 link local address are crucial for routing. So if the address is removed mistakenly it will make routing problem.

[admin@Mikrotik] > /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
# ADDRESS FROM-POOL INTERFACE 
0 DL fe80::e97:42ff:fef5:7a03/64 ether4 
1 DL fe80::e97:42ff:fef5:7a01/64 ether2 
2 DL fe80::e97:42ff:fef5:7a02/64 ether3 
3 DL fe80::dcac:40ff:feed:b345/64 loopback-1 
4 G 2000:5a40:0:11::2/126 ether1

As you can see, though static IPv6 is configured on the interface , still the address is showing unreachable

How to regenerate link local IPv6 address on Mikrotik when deleted ?

The solution is quiet simple, simply  reset (disable and re-enable) the interface. This applicable for all type of interface Ethernet/VLAN/bridge. For minimum impact on live traffic you may try following method

/interface ethernet disable 0; enable 0

Result,

[admin@Mikrotik] /interface ethernet> /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
# ADDRESS FROM-POOL INTERFACE ADVERT
0 DL fe80::e97:42ff:fef5:7a03/64 ether4 no 
1 DL fe80::e97:42ff:fef5:7a01/64 ether2 no 
2 DL fe80::e97:42ff:fef5:7a02/64 ether3 no 
3 DL fe80::dcac:40ff:feed:b345/64 lo-1 no 
4 G 2000:5a40:0:11::2/126 ether1 no 
5 DL fe80::e97:42ff:fef5:7a00/64 ether1 no

 

DHCPv6: CentOS 7 Server & Mikrotik Client

Posted on by Jasim Alam

IPv6 DHCP configuration with CentOS 7 as DHCP server and Mikrotik as DHCPv6 client.

Note: Assumed you already have configured an IPv6 from subnet  on server interface. You may follow this guide.

Subnet:  2000:5a40:0:12::/64

Gateway IP: 2000:5a40:0:12::1/64

Subnet Range: 2000:5a40:0:12::100-200

 

  1. Verify that, DHCP package is installed
# yum list installed | grep dhcp

dhcp.x86_64 12:4.2.5-68.el7.centos.1 @updates
dhcp-common.x86_64 12:4.2.5-68.el7.centos.1 @updates
dhcp-libs.x86_64 12:4.2.5-68.el7.centos.1 @updates

If not installed, you may install via yum

# yum install -y dhcp

 

2. Edit configuration file and restart service

# vi /etc/dhcp/dhcpd6.conf

default-lease-time 3600; # 1 hour
max-lease-time 86400; # 1 day
authoritative;
allow leasequery;
dhcpv6-lease-file-name “/var/lib/dhcpd/dhcpd6.leases”;


subnet6 2000:5a40:0:12::/64 {
#any of following range declaration format is supported
#range6 2000:5a40:0:12::100 2000:5a40:0:12::200;
range6 2000:5a40:0:12::100/120;
option dhcp6.name-servers 2001:4860:4860::8888;
option dhcp6.domain-search "jalam.me";
}

# systemctl start dhcpd6

# systemctl enable dhcpd6

 

3. Mikrotik client configuration

IPv6 is disabled on Mikrotik by default.

Mikrotik Default Package Status

If disable enable the package and reboot the router

configuration on Mikrotik

[admin@Mikrotik] > /ipv6 dhcp-client add interface=ether2 request=address

 

4. verification

on Mikrotik

[admin@Mikrotik] > /ipv6 dhcp-client print 

Flags: D - dynamic, X - disabled, I - invalid 
# INTERFACE   STATUS   REQUEST   PREFIX  ADDRESS 
0 ether2      bound    address           2000:5a40:0:12::1d6, 51m45s 


[admin@Mikrotik] > /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
# ADDRESS                        FROM-POOL INTERFACE ADVERTISE
0 DL fe80::e97:42ff:fef5:7a00/64             ether1     no 
1 DL fe80::e97:42ff:fef5:7a02/64             ether3     no 
2 DL fe80::e97:42ff:fef5:7a03/64             ether4     no 
3 DL fe80::e97:42ff:fef5:7a01/64             ether2     no 
4 DG 2401:5a40:0:12::1d6/64                  ether2     no 


[admin@Mikrotik] > ping 2401:5a40:0:12::1 count=1 

SEQ  HOST               SIZE   TTL   TIME   STATUS 
0    2401:5a40:0:12::1   56    64    3ms    echo reply 

sent=1 received=1 packet-loss=0% min-rtt=3ms avg-rtt=3ms max-rtt=3ms

on server

# cat /var/lib/dhcpd/dhcpd6.leases


# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.5

server-duid "\000\001\000\001\"\265\204\217\000\014)\\f\025";

ia-na "\002\000\000\000\000\003\000\001\014\227B\365z\000" {
cltt 5 2018/06/15 10:42:22;
iaaddr 2000:5a40:0:12::1d6 {
binding state active;
preferred-life 2250;
max-life 3600;
ends 5 2018/06/15 11:42:22;
}
}

 

References:

  • https://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/ch22s06.html
  • https://wiki.mikrotik.com/wiki/Manual:IPv6/DHCP_Client

 

Static IPv6 Configuration on CentOS 7

Posted on by Jasim Alam
  1. Enabling IPv6

IPv6 enabled on CentOS 7 by default. You can verify status

# cat /proc/net/if_inet6 

00000000000000000000000000000001 01 80 10 80 lo 24015a40000000120000000000000100 02 40 00 80 ens33 fe80000000000000020c29fffe5c6601 03 40 20 80 ens38 fe80000000000000020c29fffe5c66f7 02 40 20 80 ens33

If /proc/net/if_inet6 doesn’t exist try to load the kernel module

# modprobe ipv6
# lsmod | grep ipv6

or add grub entry (reboot required)

# echo 'GRUB_CMDLINE_LINUX="ipv6.disable=0"' /etc/default/grub
# grub2-mkconfig -o /boot/grub2/grub.cfg
# shutdown -r now

also make sure ipv6 isn’t disabled manually in kernel

# sysctl net.ipv6.conf.all.disable_ipv6 = 0
# sysctl net.ipv6.conf.default.disable_ipv6 = 0
# sysctl -p

 

2. Configuring static IPv6. 
# vi /etc/sysconfig/network-scripts/ifcfg-ens33

#append below lines
NM_CONTROLLED=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6ADDR="2000:5a40:0:12::100/64"
IPV6_DEFAULTGW=2000:5a40:0:12::1

# systemctl disable NetworkManager
# systemctl stop NetworkManager
# systemctl enable network
# systemctl start network
3. Verification
# ip a s | grep inet6

inet6 ::1/128 scope host 
inet6 2000:5a40:0:12::100/64 scope global 
inet6 fe80::20c:29ff:fe5c:66f7/64 scope link 
inet6 fe80::20c:29ff:fe5c:6601/64 scope link

#ip -6 add show | grep inet6

inet6 ::1/128 scope host 
inet6 2000:5a40:0:12::100/64 scope global 
inet6 fe80::20c:29ff:fe5c:66f7/64 scope link 
inet6 fe80::20c:29ff:fe5c:6601/64 scope link

#ip -6 route show

unreachable ::/96 dev lo metric 1024 error -113 
2000:5a40:0:12::/64 dev ens33 proto kernel metric 256 
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 
fe80::/64 dev ens33 proto kernel metric 256 
fe80::/64 dev ens38 proto kernel metric 256
default via 2000:5a40:0:12::1 dev eth1 metric 1 pref medium

# ping6 2000:5a40:0:12::1 -c 1

PING 2000:5a40:0:12::1(2000:5a40:0:12::1) 56 data bytes
64 bytes from 2000:5a40:0:12::1: icmp_seq=1 ttl=64 time=2.03 ms

--- 2000:5a40:0:12::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.032/2.032/2.032/0.000 ms

 

Secure Zimbra Server from Memcached Attack

Posted on by Jasim Alam

Memcached vulnerability made big fuss this year. Zimbra  use Memcached for distributed memory caching on proxy environment. Out of the box  Zimbra act as open Memcached proxy by listening  and responding to all requests.

Checking Vulnerability

To check whether your server is vulnerable .

Telnet from outside network. If following respond blank screen than its vulnerable

 telnet <IP of zimbra server> 11211

or run Nmap from outside network

nmap <IP of zimbra server> -p 11211 --script memcached-info

Sample Nmap result of vulnerable server

Memcached vulnerable server

Mitigation

Any one of following method can be used

  1. If the server behind a firewall drop all incoming/outgoing connection on TCP/UDP  port 11211 from untrusted to DMZ zone.
  2. If  the server isn’t under firewall, you are running netfilter you can use following iptables rule.
iptables -I INPUT -p udp -s 127.0.0.1 --dport 11211 -j ACCEPT 
iptables -I INPUT -p tcp -s 127.0.0.1 --dport 11211 -j ACCEPT 
iptables -I INPUT -p udp --dport 11211 -j DROP 
iptables -I INPUT -p tcp --dport 11211 -j DROP
service iptables save

3. If you don’t want you use none of above, you can just make Zimbra Memcached service listen to localhost only

su - zimbra
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 127.0.0.1 
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList 127.0.0.1
zmmemcachedctl restart

Before status

Before status

After status

After status

 

Verification

Run the same Nmap script again. It should look like this

nmap verification

 

References :

  1. https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack
  2. https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/