First time I’m doing this, so hopefully this is what I should be doing…
I have been using Nethserver for sometime and have had SOGo installed on a few installations. Periodically I would get a definite DDoS attach on memcached on these servers. I have used intrusion prevention and firewalling to mitigate these as best as possible, but they have continued. Today I found documentation of restricting memcached to local requests only, which I believe is all SOGo needs by editing /etc/sysconfig/memcached and adding -l 127.0.0.1 to the options. As far as I know SOGo is the only service that needs memcached and it only needs it locally, so I think this should be added to the configuration when it is installed to avoid theses DDoS attacks out of the box.
AFAIK SOGo is not anymore part of NethServer (as standard package, is part of nethforge, if I am not wrong) therefore the footprint is currently… smaller.
Anyway, let’s summon the wizard of SOGo, @stephdl who’s currently babysitting the package.
You’re not wrong, probably. But if @Socs28 has opened a range of ports containing port 11211 (let’s say 10000-20000) he may be vulnerable.
To be on the safe side, we could add OPTIONS="-l 127.0.0.1" to /etc/sysconfig/memcached.
Yes, thought I’ve never done that before. What kind of testing do you want to see? I don’t know how to simulate the attacks I was getting. I can show that the patch properly puts the line in the config file and show the netstat results.
When we push a patch with a pull request, we create a github bug to track the tests. We have to attach to the github issue some tests that the développer has requested in the QA.