Install memcached and SOGo to use unix domain socket

Issue #132 wontfix
Anonymous created an issue

Hi. With all the excitement lately about memcached and ddos attacks, perhaps memcached should be installed to use unix domain sockets. As far as I know, the only reason memcached is on my iredmail server is to support SOGo. So I made these changes (on FreeBSD): sysrc memcached_flags="-s /var/run/memcached/memcached.sock -a 0666"

In /usr/local/etc/sogo/sogo.conf SOGoMemcachedHost = "/var/run/memcached/memcached.sock";

Now memcached does not listen on any network port. Unix domain sockets usually perform faster than TCP, also.

Comments (5)

  1. Paco Hope

    I created this (but anonymously, whoops). I didn't say I experienced a ddos attack. I know that it currently listens on 127.0.0.1.

    My point is that unix domain sockets perform much faster. memcached does not need to use TCP at all. It's unnecessary.

    I looked at it because an organisation that I work with had memcached wrong on their iredmail server. THEY were running wrong, but I don't know how they changed it or why they changed it. When I fixed it, I realised that there is no need for TCP or UDP. We can use unix domain sockets and get faster performance with better security.

  2. Zhang Huangbin repo owner
    • There may be slightly performance lose, but i don't think it's huge different. (i didn't do benchmark yet.)
    • Listening on 127.0.0.1:<port> should be fine for security concern, if someone can attack it via 127.0.0.1:<port>, it's likely he can attack via the socket too. So no difference in this case.

    Different Linux/BSD distros may use different socket path, we tend to use same setting for all distros: same network port, same config file. When user moves from one distro to another, he gets the same experience.

  3. Paco Hope

    I understand you don't see the need. I respect your decision.

    The place you set the socket path is exactly the same place you put -l 127.0.0.1. So you are in control on all distros. You've already done this change once. You could, for example, set it to /tmp/memcached.sock and be confident that it will work on all platforms.

    Also, there is a security difference between listening on a unix domain socket versus a TCP port. There is no security mechanism for a TCP port. Any process on the system can open 127.0.0.1:11211. A unix domain socket has permissions like a file. It can be restricted so that only certain UIDs can read/write to it. So the sogod process could read/write the memcached socket, but the dovecot or postfix processes could not.

    At this point I am just arguing. :) These details are not important and I respect your position. But there is a difference between unix domain and localhost. And one person's benchmark showed a 33% speed improvement. https://guides.wp-bullet.com/configure-memcached-to-use-unix-socket-speed-boost/

  4. Log in to comment