In Debian, I have installed memcached (using this guide) to lower the otherwise unmanageable load on mysql database. The database is on a separate server, and memcached and Varnish are on the front server. Is it a potential security hole to leave memcached unprotected by a firewall? If so, how should I secure it? The situation is especially worrisome,as I've received (unproved) reports of cookie thefts on the server. Thanks
Just block the memcached port in firewall and allow access only from the database server. This should give you some protection. Also you can bring up a SSL tunnel between the mysql and memcached server and make the memcached-mysql data flow through it only.
For the SSL tunnel you can use IPSEC, to set it up you can follow the tutorial at http://wiki.debian.org/IPsec or http://lartc.org/howto/lartc.ipsec.tunnel.html
For blocking the port for all ip's except one you can issue an iptables command like:
or:
Also as I understand your webserver and memcached server are on the same machine? If so then it is your webserver that will communicate with memcached rather then the mysql server. It will just either get the data from cache or if it's not present in the cache will get it from the mysql server. In this case it's just enough to bind memcached to localhost so only your webserver can access memcached using php, ruby, python or any other language code, this should as safe as it can be.