memcached settings with IPv6 localhost ::1

[blueish]

Hi

I've tried to secure my Zimbra/Memcached with the instructions at https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack. However, being modern and all, I've substituted the v4 localhost (127.0.0.1) with the v6 localhost (::1) which was a bad idea

Code: Select all

/opt/zimbra/bin/zmprov ms myzimbraserver zimbraMemcachedBindAddress ::1
/opt/zimbra/bin/zmprov ms myzimbraserver zimbraMemcachedClientServerList ::1

Services are apparently running:

Code: Select all

zimbra@myzimbraserver:~$ zmcontrol status
Host myzimbraserver
        amavis                  Running
        antispam                Running
        antivirus               Running
        dnscache                Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        memcached               Running
        mta                     Running
        opendkim                Running
        proxy                   Running
        service webapp          Running
        snmp                    Running
        spell                   Running
        stats                   Running
        zimbra webapp           Running
        zimbraAdmin webapp      Running
        zimlet webapp           Running
        zmconfigd               Running

However in /opt/zimbra/log/mailboxd.log I found follwing error message:

Code: Select all

2018-03-05 00:08:59,012 INFO  [main] [] FileDescriptorCache - Loading settings: zimbraMailFileDescriptorCacheSize=1000.
2018-03-05 00:08:59,079 WARN  [main] [] misc - Invalid server ::1
2018-03-05 00:08:59,107 FATAL [main] [] soap - Unable to start servlet
java.lang.IllegalArgumentException: You must have at least one server to connect to
        at net.spy.memcached.MemcachedClient.<init>(MemcachedClient.java:159)
        at com.zimbra.common.util.memcached.ZimbraMemcachedClient.connect(ZimbraMemcachedClient.java:153)
        at com.zimbra.cs.memcached.MemcachedConnector.reloadConfig(MemcachedConnector.java:67)
        at com.zimbra.cs.memcached.MemcachedConnector.startup(MemcachedConnector.java:44)
        at com.zimbra.cs.util.Zimbra.startup(Zimbra.java:276)

Also, I cannot revert any settings:

Code: Select all

zimbra@myzimbraserver:~$ /opt/zimbra/bin/zmprov ms myzimbraserver zimbraMemcachedBindAddress 127.0.0.1
ERROR: service.PROXY_ERROR (error while proxying request to target server: HTTP/1.1 503 Service Unavailable)

or change other things:

Code: Select all

zimbra@myzimbraserver:~$ zmprov -v
ERROR: service.PROXY_ERROR (error while proxying request to target server: HTTP/1.1 503 Service Unavailable)
com.zimbra.common.service.ServiceException: error while proxying request to target server: HTTP/1.1 503 Service Unavailable
ExceptionId:main:1520269453927:18086317d59c89ab
Code:service.PROXY_ERROR Arg:(url, STR, "https://localhost:7071/service/admin/soap/AuthRequest")

My zimbra version is 8.7.1_GA_1670

Does somebody know in what config files the ::1 gets written to so I can revert this manually?

[L. Mark Stone]

The memcached exploit in the wiki is only available on port 11211.

If you don't have that port open to the public Internet, then you are not susceptible to the attack.

From the second paragraph in the wiki:

"If your Zimbra memcache servers are behind firewall, we recommend blocking ingress and egress traffic on port 11211 from the Internet to zimbra memcache servers. Once done, you do not need to follow further steps on this wiki."

Hope that helps,
Mark

[nikolay.gamaley]

use -l in zmprov

Code: Select all

/opt/zimbra/bin/zmprov -l ms myzimbraserver zimbraMemcachedBindAddress 127.0.0.1
/opt/zimbra/bin/zmprov -l ms myzimbraserver zimbraMemcachedClientServerList 127.0.0.1

it fix you broken options in ldap

[blueish]

thanks for your replies

my memcached was accessible from the internet and therefore, I went ahead and followed the instructions.

the commands posted by nikolay.gamaley both worked, after a friend pointed out the difference (-l) between the commands I tried and nikolays

[sgalam]

I did the same, tried with -l

restarted memcache and now it's listening on 127.0.0.1 but nginx point to the public ip address:

Code: Select all

2018/03/08 09:10:00 [notice] 14374#0: memcached channel:$PUBLICIP:11211 down, reconnect after:60000 ms

i did several:

zmproxyctl restart

and the /opt/zimbra/conf/nginx/includes/nginx.conf.memcache was re-generated but the "server" section is filled with the public ip address and not 127.0.0.1.

How i can fix this, ideas?

thanks!

M.

[kumarp]

It looks like a Bug as a workaround, you can edit the below file.

su - zimbra
vim /opt/zimbra/conf/nginx/templates/nginx.conf.memcache.template

${memcache.:servers} ------( you need to replace this line with below line)
servers 127.0.0.1:11211;

zmproxyctl restart

Enjoy!