DOCX

MySQL security (prevention will know)

By Lauren Williams,2015-09-24 18:59
14 views 0
MySQL security (prevention will know)

    MySQL security (prevention will know)

    For any kind of database, security issues are very important.If the database security holes, while the data is stolen, or the data are destroyed, the consequences for some important database is very serious.Here two layers from the operating system and database for MySQL security issues are discussed.

    Operating system security problem

    The main operating system security issues common in MySQL installation andstart-up process.

    1. Strictly control the operating system account and permissions

    On the database server to strictly control the operating system account and permissions, such as:

    ; Lock the mysql user

    ; Any other users take independent account login, the administrator by mysql proprietary mysql user

    management, or by root under su to mysql user management.

    ; Mysql user directory, in addition to data file directory, all other files and directories owner to root

    2. Try to avoid as root permission to run the MySQL

    MySQL installation has been completed, usually sets the data catalogue owner to MySQL user, and MySQL software owner is set to the root directory, the purpose is when using MySQLstartup when the database, can prevent any FILE permissions users can create in the root FILE.And if you use the root user tostart the database, any user can read and write with a FILE permissions root FILE, it will cause system serious security hidden danger.

    3. To prevent DNS deception

    Create a user, the host can specify the domain name or IP address.But, if you specify a domain name, can bring the following security hidden danger: if the IP address of the corresponding domain is malicious modification, the database will be malicious IP address access, cause potential safety hazard.

    The safety of the database related problems

    Most common database problem is due to improper account management.Should strengthen the safety consciousness of account management.

    1. Remove the anonymous accounts

    In some versions of the, after installed MySQL will automatically install a empty account, this account has full authority for the test database, ordinary users only need to perform the MySQL command can log on to the MySQL database, this time the user USES the empty, can do all kinds of operation in the test database, you can create a big table, for example, take up a lot of disk space, so that caused the system security risk.

    2. To set the password for the root account

    MySQL installation has been completed, the root the default password is empty, need to change password immediately

set password=password('newpassword');

    3. Set the security password

    Password security is embodied in the following two aspects:

    ; Set up secure password, it is recommended to use more than six letters, Numbers, underscores, and

    some special character combinations of string;

    ; During the use of safety, the use of password to ensure the safety of using process as far as possible,

    will not be stolen.

    The first point is needless to say, the longer the more complex and no regularity of password security.For the second point, to summarize, in daily work, use the password is usually adopts the following several ways.

    (1) direct write the password on the command line.

mysql -uroot -p123

    (2) interactive way to enter the password.

mysql -uroot -p

    (3) the user name and password will be written in a configuration file, read automatically connect, such as application to connect to the database or perform some batch script.In this way, the MySQL for a method, in my. CNF written inside connection information.

[client]

    user=username

    password=password

    Then to strictly limit the permissions the configuration files, such as:

chomod +600 my.cnf

    Above is the password to three kinds of common use way.Obviously, the first kind of the most unsafe, because it will become a plaintext password write;2 kinds of safer, but can only be used under the interaction interface;Third is more convenient, but need to set the configuration file strict access permissions, and anyone can log on to the operating system user can automatically log in, there is a certain hidden trouble of security.

    Use 3 kinds of methods are usually not much, give you an example below

    (1) input mysql unable to login.

[root@iZ28dr6w0qvZ ~]# mysql

    ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

    (2) modify the configuration file, and add the connection information

[root@iZ28dr6w0qvZ ~]# vim /etc/my.cnf

    ...

    [client]

    #password = your_password

    user=cqh

    password=123

    (3) after the restart the database, input and mysql

[root@iZ28dr6w0qvZ ~]# service mysqld restart

    Shutting down MySQL... SUCCESS!

    Starting MySQL.. SUCCESS!

    [root@iZ28dr6w0qvZ ~]# mysql

    Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1

    Server version: 5.5.37-log MySQL Community Server (GPL) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select current_user();

+----------------+

    | current_user() |

    +----------------+

    | cqh@localhost |

    +----------------+

    1 row in set (0.02 sec)

    4. Only awarded must account permissions

    Only need to give ordinary users must permissions, such as:

    grant select,insert,update,delete on tablename to 'username'@'hostname';

    In many cases, the DBA because figure is convenient, and often gives you all the

    privileges, the concrete containing what permissions all privileges?Look at the following

    example:

mysql> select * from db where user='cqh'\G

    *************************** 1. row ***************************

     Host: localhost

     Db: test

     User: cqh

     Select_priv: Y

     Insert_priv: Y

     Update_priv: Y

     Delete_priv: Y

     Create_priv: Y

     Drop_priv: Y

     Grant_priv: N

     References_priv: Y

     Index_priv: Y

     Alter_priv: Y

    Create_tmp_table_priv: Y

     Lock_tables_priv: Y

     Create_view_priv: Y

     Show_view_priv: Y

     Create_routine_priv: Y

     Alter_routine_priv: Y

     Execute_priv: Y

     Event_priv: Y

     Trigger_priv: Y

    1 row in set (0.00 sec)

    All the inside of the privileges, far more than we need for a general application permissions.Also, some permissions if wrong operation, will produce very serious consequences, such as drop_priv, etc.Therefore, the more specific user permissions, security to the database.

    5. In addition to the root, any user should not have the mysql database user table access permissions

    Due to the MySQL database can be modified by the user tables in MySQL to increase, DELETE, change operations such as permissions, therefore, in addition to the root, any user should not have access to the user table permissions (SELECT, UPDATE, INSERT, DELETE,

etc.), the safety of the system.Under the cases of ordinary users CQH granted to the user

    access permissions, see will do anything to system to produce the safe hidden trouble.

    (1) create a regular user chenqionghe, with various permissions for user tables in mysql

    database.

[root@iZ28dr6w0qvZ ~]# mysql -uroot -p

    Enter password:

    Welcome to the MySQL monitor. Commands end with ; or \g.

    Your MySQL connection id is 103

    Server version: 5.5.37-log MySQL Community Server (GPL)

    Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective

    owners.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> grant select,update,insert,delete on mysql.user to chenqionghe@localhost; Query OK, 0 rows affected (0.00 sec)

    (2) use chenqionghe to update the root access.

[root@iZ28dr6w0qvZ ~]# mysql -uchenqionghe

    Welcome to the MySQL monitor. Commands end with ; or \g.

    Your MySQL connection id is 106

    Server version: 5.5.37-log MySQL Community Server (GPL)

    Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

    owners.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use mysql;

    Database changed

    mysql>

    mysql> update user set password=password('abcd') where user='root' and host='localhost'; Query OK, 1 row affected (0.00 sec)

    Rows matched: 1 Changed: 1 Warnings: 0

    (3) when the database after restart or root refresh permissions list, the root login

    password has been changed.

[root@iZ28dr6w0qvZ ~]# mysql -uroot -pabcd

    Welcome to the MySQL monitor. Commands end with ; or \g.

    Your MySQL connection id is 2

    Server version: 5.5.37-log MySQL Community Server (GPL)

    Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective

    owners.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    6. Don't put the FILE, the PROCESS or SUPER authority outside of the administrator account

    The FILE permissions of the following main functions:

    The database information through the SELECT...INTO OUTFILE...To have write permissions on the server directory, stored as a text format.With permissions directory is when tostart the MySQL user directory permissions.

    Have read permission text files can be through the LOAD DATA INFILE...Command to write data table, if the store the important information in the table, will cause great potential

    safety hazard to the system.

    In case describes in detail the FILE permissions may cause hidden trouble.

    (1) to connect to the database and create a test table t.

[root@iZ28dr6w0qvZ ~]# mysql -uroot -p

    Enter password:

    Welcome to the MySQL monitor. Commands end with ; or \g.

    Your MySQL connection id is 8

    Server version: 5.5.37-log MySQL Community Server (GPL)

    Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its

    affiliates. Other names may be trademarks of their respective

    owners.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use test;

    Database changed

    mysql> create table t (name varchar(500));

    Query OK, 0 rows affected (0.02 sec)

    (2) to/etc/password file is loaded into the table t

mysql> load data infile '/etc/passwd' into table t;

    Query OK, 23 rows affected (0.01 sec)

    Records: 23 Deleted: 0 Skipped: 0 Warnings: 0

    T (3) to view the content

mysql> select * from t;

    +----------------------------------------------------------------------+ | name | +----------------------------------------------------------------------+ | root:x:0:0:root:/root:/bin/bash | | bin:x:1:1:bin:/bin:/sbin/nologin | | daemon:x:2:2:daemon:/sbin:/sbin/nologin | | adm:x:3:4:adm:/var/adm:/sbin/nologin | | lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin | | sync:x:5:0:sync:/sbin:/bin/sync | | shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown | | halt:x:7:0:halt:/sbin:/sbin/halt | | mail:x:8:12:mail:/var/spool/mail:/sbin/nologin | | uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin | | operator:x:11:0:operator:/root:/sbin/nologin | | games:x:12:100:games:/usr/games:/sbin/nologin | | gopher:x:13:30:gopher:/var/gopher:/sbin/nologin | | ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin | | nobody:x:99:99:Nobody:/:/sbin/nologin |

Report this document

For any questions or suggestions please email
cust-service@docsford.com