1. Default mysql Authorization Table 2. Lack of log capability 3. Password leakage in my. ini file 4. Service bound to all network interfaces by default 5. mysql directory permission in the default installation path
1. Default mysql Authorization Table 2. Lack of log capability 3. Password leakage in my. ini file 4. Service bound to all network interfaces by default 5. mysql directory permission in the default installation path
The following elements are involved in the insecure mysql service installed by default:
I. Default mysql authorization table
Ii. Lack of log capability
Iii. Password leakage for my. ini files
4. Services are bound to all network interfaces by default.
V. mysql directory permission in the default installation path
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~
I. Default mysql authorization table
Because mysql authenticates identity based on the mysql database, it is also called an authorization table. All permission settings are here.
We will only discuss the most important user table. It controls accepting or rejecting connections.
Let's take a look.
Select host, user, password, Delete_priv from user;
+ ----------- + ------ + ------------------ + ------------- +
| Host | user | password | Delete_priv |
+ ----------- + ------ + ------------------ + ------------- +
| Localhost | root | 67457e226a1a15bd | Y |
| % | Root | Y |
| Localhost | Y |
| % | N |
+ ----------- + ------ + ------------------ + ------------- +
A quick setting window is displayed after the new version is installed to set the password.
The above is the content in the user table (Omitted) to see if there is any problem?
We know that the mysql verification method is quite special. It is based on two pieces of information.
1. Connect from there
2. User Name
The password must be safe.
Article 2 The user root can be connected from any host without a password. The permission is all permissions. (Note: The permission here is global)
Article 3 from the local host, any user name (note: the user is blank, does not indicate that the user name is not required), password is not required, can be connected, all Permissions
Article 4 Any user name and password on any host can be connected without any permissions.
It can be seen that 2 \ 3 \ 4 is not safe, and how to attack it is not mentioned here, please refer to the data library.
If mysql only allows local connections, delete the % of the host and the nul (null) in the user)
Delete from user where host = '% ';
Delete from host where user = '';
The Last user table looks like this.
+ ----------- + ------ + ------------------ + ------------- +
| Host | user | password | Delete_priv |
+ ----------- + ------ + ------------------ + ------------- +
| Localhost | root | 67457e226a1a15bd | Y |
+ ----------- + ------ + ------------------ + ------------- +
Finally, you need to refresh the authorization table to make it take effect immediately.
Flush privileges;
If your mysql needs to be remotely used, add a secure password to the root account in section %.
Update user set password = password ('upass ') where host =' % ';
Here, youpass is the password.
Mysql> select host, user, password, Delete_priv from user;
+ ----------- + ------ + ------------------ + ------------- +
| Host | user | password | Delete_priv |
+ ----------- + ------ + ------------------ + ------------- +
| Localhost | root | 67457e226a1a15bd | Y |
| % | Root | 77c590fa148bc9fb | Y |
+ ----------- + ------ + ------------------ + ------------- +
