MySQL database security prevention methods

◆ Actively monitors MySQL access records

MySQL contains many different log files that record customer connection, query, and server errors. Among them, the most important is the general query log, which uses time labels to record the connection and interruption time of each customer, and records each query executed by the customer. If you suspect unusual behavior, such as network intrusion, monitoring this log to understand the source of behavior is a good way to protect your MySQL database tutorial is a daily task. Therefore, even after completing the above steps, you still need to take more time to learn more security suggestions, actively monitor and update your system security.

◆ Delete wildcards in the authorization table

The MySQL access control system runs through a series of so-called authorization tables to define user access rights at the database, table, or column level. However, these tables allow administrators to set a package license for a user or a set of tables that apply wildcards. This may pose a potential danger because hackers may use a restricted account to access other parts of the system. For this reason, exercise caution when setting user privileges to ensure that users can only access the content they need. Be especially careful when setting super privileges for individual users, because this level allows common users to modify basic server configurations and access the entire database.

Suggestion: Show privileged commands to each user account to review the authorization table and check whether the application wildcard license is appropriate.
◆ Encrypt data transmission between customers and servers

An important issue of the MySQL (and other) Customer and server architecture is the security issue when data is transmitted over the network. If the interaction between the customer and the server occurs in plain text, the hacker may "sniff" the transmitted data packets to obtain confidential information. You can activate SSL in the MySQL configuration, or apply a security application such as OpenSSH to establish a secure encrypted "channel" for the transmitted data to close this vulnerability. Encrypting the connection between the customer and the server in this form makes it extremely difficult for unauthorized users to access the data.

◆ Check the configuration file license

In general, to make the server connection more convenient, a single user and the server administrator must store their user account and password in the single-user MySQL option file. However, this password is stored in files in plain text format and can be easily viewed. Therefore, you must ensure that such a single user configuration file is not checked by other users in the system and stored in a non-public location. Ideally, you want the configuration file of a single user to be saved in the root directory of the user. The license is 0600.



◆ Remote Access prohibited

If you do not need to remotely access the server, you can force all MySQL connections to be completed through UNIX slot files, thus greatly reducing the risk of network attacks. This process can be completed by skipping the Network option to start the server. This prevents TCP/IP networks from connecting to MySQL and ensures that no user can connect to the system remotely.

Suggestion: You can add the Bind Address 127.0.0.1 command in the MySQL server configuration to enhance this function, forcing MySQL to bind the IP address of the local machine to ensure that only users in the same system can connect to MySQL.

◆ Require a secure password

The security of user accounts is closely related to the passwords used to protect them. Therefore, when installing MySQL, set the password of the MySQL Root Account (empty by default ). After the vulnerability is fixed, each user account should be asked to use a password and do not use heuristic passwords that are easy to recognize, such as birthdays, usernames, or words in the dictionary.

Suggestion: Use the MySQL-security-Authorization option to avoid using the old and unsecure MySQL password format.