How to prevent moxi listening at an unauthorized port?

Some fellows at the the security part told us that we have got a unauthorized port issue about couchbase.
We found it’s moxi which listens at an unauthorized port.

[root@~]# ps -ef | grep moxi
496      24117 15002  0 Dec03 ?        00:00:09 /opt/couchbase/bin/moxi -Z port_listen=11211,default_bucket_name=default,downstream_max=1024,downstream_conn_max=4,connect_max_errors=5,connect_retry_interval=30000,connect_timeout=400,auth_timeout=100,cycle=200,downstream_conn_queue_timeout=200,downstream_timeout=5000,wait_queue_timeout=200 -z url=http://127.0.0.1:8091/pools/default/saslBucketsStreaming -p 0 -Y y -O stderr 
root     46098 16100  0 14:52 pts/0    00:00:00 grep moxi
[root@~]# netstat -antup | grep moxi
tcp        0      0 0.0.0.0:11211               0.0.0.0:*                   LISTEN      24117/moxi          
tcp        0      0 0.0.0.0:53685               0.0.0.0:*                   LISTEN      24117/moxi          
tcp        0      0 127.0.0.1:31128             127.0.0.1:8091              ESTABLISHED 24117/moxi          
tcp        0      0 :::11211                    :::*                        LISTEN      24117/moxi          
tcp        0      0 :::48249                    :::*                        LISTEN      24117/moxi          
[root@~]# echo stats | nc 10.49.58.25 53685 
STAT pid 24117
STAT uptime 228643
STAT time 1544079176
STAT version
STAT pointer_size 64
STAT rusage_user 6.916948
STAT rusage_system 2.284652
STAT curr_connections 4
STAT total_connections 18
STAT connection_structures 6

[root@~]# telnet 10.49.58.25 53685
Trying 10.49.58.25...
Connected to 10.49.58.25.
Escape character is '^]'.
set shuffle 0 900 9
memcached
STORED
get shuffle
VALUE shuffle 0 9
memcached
END
^]
telnet> Connection closed.

I have read some docs about moxi, such as http://docs.couchbase.com/moxi-manual-1.8/#following-a-request-through-moxi, but still have no idea about the workaround to pervent moxi listening at the unauthorized port.

Can I get some inspirations? Any help would be appreciated.

Hi sfxu,
Thanks for using our product. I have a question. What Couchbase server you are using?
From Couchbase server 5.x, we do not use moxi port (11211) any more as in this page
https://docs.couchbase.com/server/5.0/install/install-ports.html
If you still have any question, drop me a line at thuan at couchbase dot com
Thanks

Hi thuan,
It’s mainly about Couchbase server 4.x and lower versions.

[root@~]# rpm -qa | grep couchbase
couchbase-server-community-4.1.0-5005.x86_64
[root@~]# lsb_release -a
LSB Version:    :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description:    CentOS release 6.7 (Final)
Release:        6.7
Codename:       Final

We have a diversity of Couchbase server versions running, ranging from Couchabse server 2.x , 3.x , 4.x to 5.x,
but 4.x is still the majority.
I’ve got the knowledge that moxi is deprecated in 5.x from No service on port 11211 with Couchbase Server 5.x.
Thanks.

Simplest option is to upgrade to a newer version which has removed moxi. Otherwise if you can’t do that I’d just firewall the port off.

Thank you.
And I will have a try with iptables.
But why does gateway moxi listen at a random port which is unauthorized besides port 11211?