12 MySQL/MariaDB security best practices for Linux and mariadb Best Practices

12 MySQL/MariaDB security best practices for Linux and mariadb Best Practices

MySQL is the most popular open source database system in the world, and MariaDB (a MySQL Branch) is the fastest growing open source database system in the world. After the MySQL server is installed, it is insecure under the default configuration. Ensuring database security is usually one of the basic tasks of general database management.

This will help to enhance and enhance the security of the entire Linux server, because attackers always scan for vulnerabilities in any part of the system, and the database is a key target area in the past. A common example is to forcibly crack the root password of the MySQL database.

In this guide, we will explain the best Linux security practices for MySQL/MariaDB that are helpful to developers.

1. Install MySQL securely

This is the first recommended step after installing the MySQL server to protect the database server. This script can help you improve the security of the MySQL server:

• If you do not set the password for the root account during installation, set it immediately

• Disable remote root user logon by deleting the root account that can be accessed from outside the local host

• Delete anonymous user accounts and Test Databases. By default, all users and even anonymous users can access these accounts and Test Databases.

1. # mysql_secure_installation

After running the preceding command, set the root password and Enter [Yes/Y] and press [Enter] to answer a series of questions.

Interface for installing MySQL securely

2. Bind the database server to the Loopback address

This configuration restricts access from remote machines and tells the MySQL server to only accept connections from local hosts. You can set it in the main configuration file.

1. # vi /etc/my.cnf                       [RHEL/CentOS]    

2. # vi /etc/mysql/my.conf                    [Debian/Ubuntu]

3. OR

4. # vi /etc/mysql/mysql.conf.d/mysqld.cnf    [Debian/Ubuntu]

In[mysqld]Add the following line

1. bind-address = 127.0.0.1

3. Disable MySQL LOCAL INFILE

As part of security enhancement, you must disableLocal_infile, Use the following command to prevent[mysqld]Partially access the underlying file system from MySQL.

1. local-infile=0

4. Modify the default port of MySQL

Set the port variable to monitor the MySQL port number connected by TCP/IP. The default port is 3306, but you can modify it in * [mysqld.

1. Port=5000

5. Enable MySQL logs

Logs are one of the best ways to understand what happened during service operation. When you are under any attack, you can easily see any intrusion-related behaviors in the logs. You can add the following variables to the [mysqld] section of the configuration file to enable the mysql Log function.

1. log=/var/log/mysql.log

6. Set proper MySQL File Access Permissions

Make sure that you have set proper access permissions for all mysql service files and data paths. The file/etc/my. conf can only be modified by the root user, so that other users can be prevented from modifying the database service configuration.

1. # chmod 644 /etc/my.cnf

7. Delete MySQL shell history

All the commands you run in MySQL shell will be saved to a history file by the mysql client :~ /. Mysql_history. This is very dangerous, because for any user account you have created, all user names and passwords entered in the shell will be recorded in the history file.

1. # cat /dev/null > ~/.mysql_history

8. Do not run the MySQL command in the command line

As you know, all the commands you input on the terminal will be stored in a history file, depending on the shell you are using (for example, the bash shell history file is stored in~ /. Bash_history). Attackers can easily see any password recorded in this history file.

It is not recommended to enter the password in the command line, as shown below:

1. # mysql -u root -ppassword_

Connect to MySQL with a password

When you view the last part of the command line history file, you can see the previously entered password.

1. # history

View command line Input history

The recommended method for connecting to MySQL is

1. # mysql -u root -p

2. Enter password:

9. Define database users for specific applications

For each application running on the server, only one database user associated with the application is set. For example, if you have a wordpress website and create a wordpress database user as follows:

1. # mysql -u root -p

2. MariaDB [(none)]> CREATE DATABASE osclass_db;

3. MariaDB [(none)]> CREATE USER 'osclassdmin'@'localhost' IDENTIFIED BY 'osclass@dmin%!2';

4. MariaDB [(none)]> GRANT ALL PRIVILEGES ON osclass_db.* TO 'osclassdmin'@'localhost';

5. MariaDB [(none)]> FLUSH PRIVILEGES;

6. MariaDB [(none)]> exit

Remember to delete database users that are no longer in use.

10. Use additional security plug-ins and libraries

MySQL contains many security plug-ins: Verify client connection requests to the MySQL server, secure storage of password verification and sensitive information, etc., which are provided in the free version.

Here you can see more: https://dev.mysql.com/doc/refman/5.7/en/security-plugins.html

11. Regularly modify the MySQL password

Regular password modification is a common information/application/System Security suggestion. The password is determined by your internal security policy. Regular password modification prevents long-standing tracking of your "hacker", obtaining your password, and logging on to your MySQL server.

1. MariaDB [(none)]> USE mysql;MariaDB [(none)]> UPDATE user SET password=PASSWORD('YourPasswordHere') WHERE User='root' AND Host = 'localhost';MariaDB [(none)]> FLUSH PRIVILEGES;

12. Regularly update the MySQL Server package

We strongly recommend that you regularly update the mysql/mariadb package from the official repository for the latest security updates and error improvements. In general, the default package in the operating system is out of date.

1. # yum update

2. # apt update

Restart the mysql/mariadb server after any modification.

1. # systemctl restart mariadb        #RHEL/CentOS

2. # systemctl restart mysql        #Debian/Ubuntu

The sharing ends. You are welcome to comment below the article and share with us the security tips not mentioned in the article.

Web Design Trends To Watch Out For In 2018 original address: https://www.tecmint.com/mysql-mariadb-security-best-practices-for-linux/participating Translation: soaring, Liangliang

Recommended reading

Web design trends worth attention in 2018

RocketMQ source code analysis-ordered Message sending and consumption

The pain points of R & D that have not been exported, and the reasons for not doing microservices

Tips for achieving high scores

Spring dry goods Summary (including Spring Boot and Spring Cloud)

IntelliJ IDEA plug-in series: five powerful installation artifacts

My most commonly used Intellij IDEA shortcut keys

Best IntelliJ plug-in Top 10

Long-pressed fingerprint

One-click follow

Click"Read original"Look at other highlights of this number.