Security settings for MySQL

We have MySQL installed in the/usr/local/mysql directory, we have to create a user named MySQL, the group of MySQL users to run our MySQL, while we copy its configuration files to/etc directory:
# CP SUPORT-FILES/MY-MEDIUM.CNF/ETC/MY.CNF
Chown root:sys/etc/my.cnf
chmod 644/etc/my.cnf

Use the user MySQL to start our MySQL:
#/usr/local/mysql/bin/mysqld_safe-user=mysql &

(1) Change the password of the root user
The default installation of MySQL is no password, so we want to modify, just in case. Here are three ways to change the root password.

* Use the mysqladmin command to change the root user password
# mysqladmin-uroot Password Test
In this way, the password for the root user of the MySQL database is changed to test. (Test is just an example, we actually use the password must not use this easy-to-guess weak password)

* Change password with Set password:
mysql> Set password for [email protected]=password (' test ');
The root user's password is then changed to test.

* Directly modify the root user password of the user table
mysql> use MySQL;
mysql> Update user Set Password=password (' Test ') where user= ' root ';
mysql> flush Privileges;

In this way, the password for the root user of the MySQL database is also changed to test. One of the last commands flush privileges means to force flush the memory authorization table, or the buffer in the password, then the illegal user can also log in with the root user and the empty password until the MySQL server restart.

(2) Delete the default database and user
Our database is local and requires only local PHP scripts to read MySQL, so many users don't need it. MySQL initializes the empty user and test library automatically, which poses a threat to the database and we delete all.
After we use the MySQL client program to connect to the local MySQL server, the following prompt appears:
mysql> drop database test;
mysql> use MySQL;
Mysql> Delete from DB;
Mysql> Delete from the user where not (host= "localhost" and user= "root");
mysql> flush Privileges;

(3) Change the name of the default MySQL administrator
This job is optional, according to personal habits, because the default MySQL administrator name is root, so if you can modify it, you can prevent some script boy to the system of the poor. We can modify the database directly and change the root user to "admin"
mysql> use MySQL;
mysql> Update user Set user= "admin" where user= "root";
mysql> flush Privileges;

(4) Improve local security
Improve local security, mainly to prevent MySQL access to local files, such as hackers through MySQL to get/etc/passwd, will pose a threat to the system. MySQL access to local files is implemented via SQL statements, primarily through the load DATA local infile, which we can disable to prevent hackers from acquiring system core files via SQL injection.
Disabling this feature must include a parameter in the [mysqld] section of MY.CNF:
Set-variable=local-infile=0

(5) Disable remote connection to MySQL
Because our MySQL only needs the local PHP script to connect, so we do not need to open a socket to listen, then we can completely turn off the monitoring function.
There are two ways to achieve this:
* Configure the My.cnf file to add skip-networking parameters in the [mysqld] section
* Add the--skip-networking startup parameter to the MYSQLD server parameter to make MySQL not listen to any TCP/IP connection, increase security. If you are managing MySQL, you can install a phpmyadmin locally on the server to manage it.

(6) Control database access rights
For the use of PHP scripts to interact, it is best to establish a user only for a library has update, select, delete, insert, drop table, create table and other permissions, so it is good to avoid the database user name and password by hackers to see the minimum loss.
For example, below we create a database for DB1, while establishing a user test1 to access the database.
mysql> CREATE DATABASE db1;
Mysql> Grant Select,insert,update,delete,create,drop privileges on db1.* to [e-mail protected] identified by ' AdminDB ';
The above SQL is to create a database db1, while adding a test1 user, password is admindb, but it can only from the local connection to MySQL, the DB1 Library has select,insert,update,delete,create,drop operation rights.

(7) Restrict general users to browse other user databases
If you have multiple databases, one user per database, you must restrict users from browsing other database content, and you can add--skip-show-database startup parameters when starting the MySQL server to achieve the goal.

Increase the user only add and delete change permissions on the specified database OK

(The solution to forget the MySQL password
If you accidentally forget the root password of MySQL, we can add parameter--skip-grant-tables when starting the MySQL server to skip authentication of authorization table (./safe_mysqld--skip-grant-tables &), This allows us to log in directly to the MySQL server and then change the root user's password and restart MySQL to log in with the new password.

(9) Security of database files
Our default MySQL is installed in the/usr/local/mysql directory, then the corresponding database file is in the/usr/local/mysql/var directory, then we want to ensure that the directory can not be accessed by unauthorized users to the database package copy away, Therefore, restrict access to the directory.
We modify the owning user and group of this directory to be MySQL, while changing access permissions:
# Chown-r Mysql.mysql/usr/local/mysql/var
# Chmod-r Go-rwx/usr/local/mysql/var

(10) Delete history
Executing the above commands is recorded by the shell in the history file, such as the. bash_history file that bash writes to the user directory, and if these files are inadvertently read, the database password is leaked. The SQL command executed after the user logs in to the database is also recorded in the. mysql_history file of the user directory by MySQL. If the database user modifies the database password with an SQL statement, it is also compromised by the. mysql_history file. So we do not in the shell landing and backup when the password directly after-p, but after the prompt and then enter the database password.
In addition to these two files we should also not let it record our operation, just in case.
# rm. bash_history. mysql_history
# ln-s/dev/null. bash_history
# ln-s/dev/null. mysql_history

(11) Other
In addition, you can also consider the use of chroot and other ways to control the MySQL running directory, better control permissions, in particular, can refer to related articles.



4. VSFTPD Security Settings

VSFTPD is a very well-known FTP Daemon program, which is currently used by many large companies including redhat.com, which is a very secure program because its name is: Very Secure FTP Daemon (very secure FTP server).
VSFTPD setup options are more, and all aspects are covered, the following are mainly for the security aspects of the setup.
At present, our demand is to use the system account as well as our FTP account for the management of our files, currently assume that I only need an account to update my site, and I do not want the account to be able to login to our system, such as our Site Directory is under/usr/www, Then we create a new user FTP, its home directory is/usr/www, and its shell is/usr/sbin/nologin, there is no shell, prevent the user through SSH and other landing to the system.

The following is a detailed system setup, mainly for vsftpd configuration file vsftpd.conf file configuration.

(1) Prohibit anonymous user access, we do not need any anonymous users, directly banned:
Anonymous_enable=no

(2) Allow local users to log in because we need to use FTP users to manage our website:
Local_enable=yes

(3) Only FTP users or some designated users in the system are allowed to access FTP because there are many accounts in the system and it is impossible for anyone to access them.
To open the User file List feature:
Userlist_enable=yes
Only allow users in the user files list to access ftp:
Userlist_deny=no
User name file list path:
Userlist_file=/etc/vsftpd.user_list

Then in/etc to create a file Vsftpd.user_list file, one line, the user FTP add, but also can be added to the System account name you allow access.

(4) Prohibit certain users from accessing ftp:
Pam_service_name=vsftpd
Indicates the PAM profile name used by VSFTPD for PAM authentication, the default value is VSFTPD, and the default Pam profile is/etc/pam.d/vsftpd.

/etc/vsftpd.ftpusers
VSFTPD prohibits users who are listed in this file from logging on to the FTP server, and the user name is a single line. This mechanism is set by default in/ETC/PAM.D/VSFTPD.

This function and (3) in the function is a bit similar, they can use together, that is best.

(5) Lock the local user in their home directory, prevent the transfer to other directories, such as the/etc/passwd to download:
Chroot_local_users=no
Chroot_list_enable=yes
Chroot_list_file=/etc/vsftpd.chroot_list
Then in/etc to establish the Vsftpd.chroot_list file, inside the local account we want to limit the add in, one line, we add ftp, prevent it to log on to the system.

(6) Hide all the user and group information of the real files, prevent hackers to take the FTP to view more system user information:
Hide_ids=yes

(7) Cancel the Ls-r command, save resources, because use this command, in the file list a lot of time will waste a lot of system resources:
Ls_recurse_enable=no

(the default permission for uploading files is set to 022:
local_umask=022
If you want to overwrite deletes and so on, also open:
Write_enable=yes

(9) FTP banner information, in order to prevent hackers to obtain more information about the server, set the item:
Ftpd_banner=banner string
Set the trailing banner string to the banner hint you need, and it is recommended that you do not expose any information about VSFTPD for security purposes.
Also, if you have more information, you can set the message to read in a file:
Banner_file=/directory/vsftpd_banner_file

(10) Open log function:
Xferlog_enable=yes
Set the log directory at the same time:
Xferlog_file=/var/log/vsftpd.log
To enable verbose logging format:
Xferlog_enable=yes

(11) If the virtual user function is turned on, it is recommended to close the local user login:
Local_enable=no


VSFTPD also has a lot of security settings, after all, people's name is: Very secure FTP Daemon, anyway, it's overflow vulnerability what is very few, if you want more security, it is recommended to set the VSFTPD according to their own needs, set the good, it is absolutely the safest.

Security settings for MySQL