MySQL Security Settings

MySQLSecurity Settings

We have installed MySql in the/usr/local/MySQL directory. We must create a user named MySQL and a group of mysql users to run our MySQL, at the same time, we copy its configuration file to the/etc directory:
# Cp suport-files/my-medium.cnf/etc/My. CNF
Chown root: SYS/etc/My. CNF
Chmod 644/etc/My. CNF

Use MySQL to start ourMySQL:
#/Usr/local/MySQL/bin/mysqld_safe-user = MySQL &

(1) modify the password of the root user
The default MySQL installation does not have a password, so we need to modify it just in case. The following three methods are used to modify the root password.

* Use the mysqladmin command to change the root user password
#Mysqladmin-uroot password Test
In this way, the password of the root user of the MySQL database is changed to test. (Test is just an example. We cannot use this weak password that is easy to guess)

* Use set password to change the password:
Mysql> set password for root @ localhost = PASSWORD ('test ');
The password of the root user is changed to test.

* Directly modify the root user password of the User table
Mysql> use MySQL;
Mysql> Update user SET Password = PASSWORD ('test') where user = 'root ';
Mysql> flush privileges;

In this way, the password of the root user of the MySQL database is changed to test. The last command flush privileges indicates force refresh of the memory authorization table. Otherwise, the buffer password is used. In this case, illegal users can also log on with the root user and empty password, until the MySQL server is restarted.

(2) delete default databases and users
Our database is local, and we only need a local PHP script to read MySQL, so many users do not need it. After MySQL initialization, empty users and Test Databases are automatically generated, which poses a threat to the database and we will delete all of them.
We use the mysql clientProgramAfter connecting to the local MySQL server, the following message is displayed:
Mysql> drop database test;
Mysql> use MySQL;
Mysql> Delete from dB;
Mysql> Delete from user where not (host = "localhost" and user = "root ");
Mysql> flush privileges;

(3) change the default MySQL Administrator name.
This job can be selected. According to my personal habits, because the default MySQL Administrator name is root, if you can modify it, it can prevent some script kiddies from exhausting the system. We can directly modify the database and change the root user"Admin"
Mysql> use MySQL;
Mysql> Update user set user = "admin" where user = "root ";
Mysql> flush privileges;

(4) Improve Local Security
To improve local security, MySQL mainly prevents access to local files. For example, a hacker uses MySQL to obtain/etc/passwd, which may pose a threat to the system. MySQL accesses local files through SQL statements, mainly through load data local infile, we can disable this function to prevent hackers from obtaining system core files through SQL injection.
To disable this function, you must add a parameter in [mysqld] Of My. CNF:
Set-variable = Local-infile = 0

(5) Disable remote connection mysql
because our MySQL only needs a local PHP script for connection, therefore, we do not need to enable socket for listening, so we can completely disable the listening function.
two methods are available:
* Configure My. CNF file, add the -- skip-networking startup parameter to the
* mysqld server parameter in the [mysqld] Section so that MySQL does not listen to any TCP /IP connection, increase security. , you can install phpMyAdmin locally on the server for management.

(6) control Database Access Permissions
For PHP scripts for interaction, it is best to create a user that only hasUpdate, Select, delete, insert, drop table,Create TableSo that the minimum loss of the database user name and password is avoided.
For example, we create a database named db1 and create a user named test1 to access the database.
Mysql> Create Database db1;
Mysql> grant select, insert, update, delete, create, drop privileges on db1. * To test1 @ localhost identified by 'admindb ';
The preceding SQL statement creates a database db1 and adds a user named test1. The password is admindb, but it can only connect to MySQL locally. For database db1, select, insert, update, and delete are available, create and drop operation permissions.

(7) restrict general users from browsing other user Databases
If you have multiple databases and each database has one user, you must restrict the user to browse other databases, you can add the -- skip-show-database startup parameter when starting the MySQL server.

(How to forget the MySQL password
If you accidentally forget the MySQL Root Password, you can add the -- skip-grant-tables parameter when starting the MySQL server to skip the authentication of the authorization table (. /safe_mysqld -- skip-grant-tables &), so that we can directly log on to the MySQL server, then modify the password of the root user, and restart MySQL to log on with the new password.

(9) database file security
By default, MySQL is installed in the/usr/local/MySQL directory, and the corresponding database file is in the/usr/local/MySQL/var directory, therefore, we need to ensure that this directory cannot allow unauthorized users to package and copy the database, so we need to restrict access to this directory.
We modify the user and group of the directory to be MySQL, and change the access permission at the same time:
# Chown-r mysql. MySQL/usr/local/MySQL/var
# Chmod-r go-rwx/usr/local/MySQL/var

(10) delete historical records
If you execute the preceding command, it will be recorded by the shell in a history file. For example, Bash will write the. bash_history file in the user directory. If these files are accidentally read, the database password will be leaked. The SQL commands executed after you log on to the database are also recorded in the. mysql_history file in the user directory by MySQL. If the database user uses an SQL statement to modify the Database Password, The. mysql_history file will also leak. Therefore, do not add a password after-P during shell login and backup. Instead, enter the database password after prompt.
In addition, we should not allow these two files to record our operations, just in case.
# Rm. bash_history. mysql_history
# Ln-S/dev/null. bash_history
# Ln-S/dev/null. mysql_history

(11) Others
In addition, you can also use chroot and other methods to control the MySQL running directory to better control permissions. For details, referArticle.

4. vsftpd Security Settings

Vsftpd is a well-known ftp daemon program. Currently, many large companies, including redhat.com, are using it. It is a very secure program because it is called: very Secure FTP daemon (very secure FTP Server ).
VsftpdThere are many options for setting, involving all aspects. We will focus on security settings below.
At present, we need to use the system account and also use our FTP account to manage our files. At present, we assume that I only need one account to update my website, in addition, I do not want this account to be able to log on to our system. For example, if the directory of our website is under/usr/WWW, we will create a new user FTP, its main directory is/usr/WWW, and its shell is/usr/sbin/nologin, that is, there is no shell to prevent the user from logging on to the system through SSH.

In the following detailed settings, we will mainly configure the vsftpd. conf file for the vsftpd configuration file.

(1) Prohibit Access from anonymous users. We do not need any anonymous users and directly disable them:
Anonymous_enable = No

(2) allow local users to log on, because we need to use ftp users to manage our website:
Local_enable = Yes

(3) only ftp users in the system or some specified users are allowed to access FTP. Because there are many accounts in the system, it is impossible for anyone to access FTP.
Enable the user file list function:
Userlist_enable = Yes
Only allow users in the user file list to accessFTP:
Userlist_deny = No
Path to the user name file list:
Userlist_file =/etc/vsftpd. user_list

Create the vsftpd. user_list file under/etc, and add the FTP user in one row. You can also add the system account name you are allowed to access.

(4) forbid certain users to log onFTP:
Pam_service_name = vsftpd
The PAM Configuration File name used by vsftpd for PAM Authentication. The default value is vsftpd, and the default PAM Configuration File is/etc/PAM. d/vsftpd.

/Etc/vsftpd. ftpusers
Vsftpd prohibits users listed in this file from logging on to the FTP server. The user name is one row. This mechanism is set by default in/etc/PAM. d/vsftpd.

This feature is a bit similar to the features in (3). It would be best if they can be used in combination.

(5) Lock the local user in his/her home directory to prevent conversion to other directories, such as downloading/etc/passwd.:
Chroot_local_users = No
Chroot_list_enable = Yes
Chroot_list_file =/etc/vsftpd. chroot_list
Then, create the vsftpd. chroot_list file under/etc, add the local account we want to restrict to one line, and add FTP to prevent it from logging on to the system.

(6) Hide all real user and group information of the file to prevent hackers from viewing more system user information after obtaining ftp:
Hide_ids = Yes

(7) cancel the LS-R command to save resources. Because of this command, a large amount of system resources will be wasted when there are many file lists:
Ls_recurse_enable = No

(Default permission for uploading files, set to 022:
Local_umask = 022
If you want to overwrite, delete, and so on, you must enable:
Write_enable = Yes

(9) ftp banner information. To prevent hackers from obtaining more server information, set this item:
Ftpd_banner = banner string
Set the subsequent banner string as the banner prompt information you need. To ensure security, we recommend that you do not expose any information about vsftpd.
In addition, if you have more information, you can set the prompt to read the information in a file:
Banner_file =/directory/vsftpd_banner_file

(10) Enable the log function:
Xferlog_enable = Yes
Set the log directory at the same time:
Xferlog_file =/var/log/vsftpd. Log
Enable detailed log format:
Xferlog_enable = Yes

(11) If you enable the virtual user function, we recommend that you disable local user login:
Local_enable = No

Vsftpd also has many security settings. After all, people name it very secure FTP daemon. There are very few overflow vulnerabilities. If you want to be safer, we recommend that you set vsftpd as needed, it is definitely the safest setting.