How to Install and Secure Memcached on FreeBSD 14

February 22, 2024 February 22, 2024 7 min read

Looking for an in-memory data store for your database, API, and rendering page? Memcached are the solutions for Unix such as FreeBSD and Unix-like operating systems.

Memcached is a distributed in-memory data store to boost the performance of your application. It allows you to cache chunks of arbitrary data, which makes data retrieval faster.

In this guide, I will show you how to install and secure memcached on the FreeBSD 14 server.

Prerequisites

Before you begin, make sure you have:

A FreeBSD 14 server initialized with sudo root/administrator privileges.
(Optional) A pf (Packet Filter) firewall up and running.

Installing Memcached on FreeBSD

Memcached is an open-source in-memory key-value data store for BSD and Linux operating systems. In this case, you will install memcached to FreeBSD via PKG package manager. Alternatively to that, you can also install it via Ports.

To install memcached on FreeBSD, follow these steps:

1. First, run the command below to update the FreeBSD package index on your system.

pkg update

2. Run the pkg command below and install the memcached package. Enter y to accept and proceed with the installation.

pkg install memcached libmemcached

3. Once installation is complete, run the command below to enable the memcached service.

sysrc memcached_enable=YES

4. Then, run the following command to configure memcached to run with user nobody and some additional start options/flags.

# running memcached as user nobody
sysrc memcached_user="nobody"
sysrc memcached_group="nobody"

# memcached start options/flags
sysrc memcached_flags="-l 192.168.5.80 -d -U 0 -m 512 -c 2048"

Memcached options used:

-l 192.168.5.80: Run memcached service on IP address 192.168.5.80.
-d: Start memcached in the background.
-U 0: Disable memcached on UDP port.
-m: Set up max memory to 512 MB.
-c 2048: Set up max connections to 2048.

Enable memcached service and configure start options/flags

5. Lastly, run the command below to verify the memcached service.

sysrc -a | grep memcached

Checking memcached options in /etc/rc.conf file

Managing Memcached service on FreeBSD

After you have installed memcached, let’s gear up to start and manage the memcached service. Here, you will be utilizing the service command to manage the memcached service, and the sockstat command to verify the default memcached port 11211.

To start and manage the memcached service, carry out the following actions:

1. To start the memcached service, run the command below.

service memcached start

2. Once memcached starts, verify it with the following command. This will show you the PID (Process ID) of the memcached service.

service memcached status

As pointed out below, memcached is running with pid 2168.

3. Now, run the command below to stop memcached when needed.

service memcached stop

4. Next, when needed to restart memcached, use the command below.

service memcached restart

5. Lastly, you can also verify memcached port 1121 by running the sockstat command below. If memcached is running, you will see port 11211 is used by the memcached service.

sockstat -4 | grep 11211

checking memcached port 11211 — Checking memcached port 11211

Optional: Open Memcached port with pf (Packet Filter)

If you’re running memcached on a local IP address, be sure to open memcached port 11211 to allow traffic from your application. Execute the following steps to open port 11211 with pf on FreeBSD:

1. Run the vim editor to open pf configuration /etc/pf.conf.

vim /etc/pf.conf

Add port 11211 to the tcp_custom port like this:

tcp_custom = "{ 3896, 8080, 11211 }"

Save and exit the file when done.

2. Now, run the command below to reload pf service and take effect of your changes.

service pf reload

3. Lastly, run the following command to ensure traffic to memcached port 11211 is allowed. If allowed, you should see an output pass in proto tcp ..., on port 11211.

pfctl -sr | grep 11211

Testing Memcached connection via memcached-tool on FreeBSD

Now that you have started memcached, the next task is to verify memcached via memcached-tool and netcat utility. The memcached-tool is a Perl-based application for checking stats and managing memcached, and it is included in the memcached package.

Go through the following steps to test and verify memcached using memcached-tool:

1. First, run the memcached-tool command below to check your memcached configuration.

memcached-tool 192.168.5.80 settings

After the command is executed, you will see a memcached configuration like the following:

Connecting to memcached via memcached-tool - display memcached configuration — Displaying memcached configuration via memcached-tool

2. Now, run the command below to check the memcached stats. Using this, you can check the current read and write stats, connections stats, and also authentication stats.

memcached-tool 192.168.5.80 stats

Checking memcached stats via memcached-tool

3. Additionally, you could verify the memcached stats via netcat or nc command below. The netcat command is available in Unix and Unix-like operating systems, which gives you flexibility to check memcached stats from anywhere.

echo stats | nc 192.168.5.80 11211

Press Ctrl+c to terminate the netcat process.

Here, you can see memcached stats and basic configurations, such as the memcached version, pid, uptime, max_connections settings, and total connections.

Checking memcached stats via Netcat or nc

Securing Memcached with SASL authentication on FreeBSD

So far, the memcached service is up and running. Moving from here, you will secure memcached installation via SASL (Simple Authentication and Security Layer) authentication. By enabling SASL authentication, you can prevent unauthorized access to your memcache data store.

Carry out the following steps to secure memcached with SASL authentication:

1. First, run the command below to add the memcached options/flags -S to enable SASL authentication in memcached. Then, add an additional environment variable for memcached service SASL_CONF_PATH, which pointed to the configuration /usr/local/etc/memcached.conf.

# addning start option/flag -S to enable SASL authentication
sysrc memcached_flags+=" -S"

# create env SASL_CONF_PATH for memcached service
sysrc memcached_env="SASL_CONF_PATH=/usr/local/etc/memcached.conf"

2. Run the following command to verify memcached parameters in the rc.conf file. Ensure you have the option -S in the memcached_flags parameter.

sysrc -a | grep memcached

Enable SASL authentication on memcached service

3. Now, run the vim editor to create a new configuration /usr/local/etc/memcached.conf.

vim /usr/local/etc/memcached.conf

Add the following setup to the file.

log_level: 5
mech_list: plain
sasldb_path: /usr/local/etc/sasldb2

Save and close the file.

4. Next, run the salspasswd2 command below to generate the SASL password authentication for application memcached and create a user user appuser. Enter your password when asked and repeat.

saslpasswd2 -a memcached -c appuser

5. Now, run the command below to change the ownership for the SASL password database file /usr/local/etc/sasldb2.db to nobody.

chown -R nobody:nobody /usr/local/etc/sasldb2.db

6. Lastly, run the service command below to restart memcached and implement your changes.

service memcached restart

Configuring memcached SASL authentication and generate SASL user

Testing Memcached authentication with Python memcached

Now that you’ve enabled SASL authentication, let’s navigate to the final step to verify memcached authentication. In this example, you will be utilizing the Python memcached driver to connect to memcached, and then create a key-value data store.

Execute the following steps to verify memcached authentication via the Python memcached driver:

1. First, run the pkg command below to install the Python memcached driver py39-python-binary-memcached package on your FreeBSD.

pkg install -y py39-python-binary-memcached

2. Now, run the command below to activate your Python interactive shell.

python3.9

3. Within the Python interactive shell, import the Python memcached driver bmemcached.

import bmemcached

4. Next, create a new client connection to the memcached server 192.168.5.80:11211 with the user appuser and password pass. Be sure to change the details of the memcached host, user, and password with your information.

client = bmemcached.Client(('192.168.5.80:11211', ), 'appuser', 'pass')

5. Lastly, run the following to create a new key testkey on memcached, and retrieve it.

client.set('testkey', 'random-data-geekandnix.com')
print(client.get('testkey'))

If your memcached authentication was successful, you should be able to create and retrieve the testkey from the memcached server like the following:

Testing memcached authentication via Python driver on FreeBSD

Conclusion

Mission accomplished! You have completed the steps and installed memcached on the FreeBSD 14 server. Also, you have secured memcached by enabling SASL (Simple Authentication and Security Layer) authentication and learned the basic memcached-tool for checking cache status.

Moreover, you have also learned the basic usage of Python memcached driver for connecting to memcached, creating and retrieving key-value data store.

ArvidL

System administrator and devops enthusiast, leveraging over 10+ years of Linux expertise to optimize operations. Proficient in FreeBSD, VMWare, KVM, Proxmox, PfSense, Ansible, Docker, and Kubernetes.