Data security-MySQL security's twenty-three Military Rules-MySQL

When using MySQL, you must pay attention to security issues. The following are 23 considerations for MySQL: _ Fu # sJzB] BMfXcJPG1. if the connection between the client and the server needs to be crossed and passed through an untrusted network, the SSH tunnel is used to encrypt the communication of the connection. % EU_GcW1fWDohIK! 2. use the setpassword statement to modify the user's password. if you use MySQL in three steps, you must pay attention to security issues. The following are 23 Notes for MySQL prompt: _ Fu # sJzB
] BMfXcJPG
1. if the connection between the client and the server needs to span and pass through an untrusted network, you need to use an SSH tunnel to encrypt the communication of the connection. %/EU_GcW1
FWDohI> K \!
2. use the set password statement to modify the user's password. in three steps, first "mysql-u root" is logged into the database system, and then "mysql> update mysql. user set password = password ('newpwd') ", and then execute" flush privileges. ! 4r '1p
& \ Cz = y {
3. attacks that need to be prevented include eavesdropping, tampering, playback, and denial of service. they do not involve availability or fault tolerance. Use ACL-based access control lists for all connections, queries, and other operations. There are also some support for SSL connections. EuFia. '6s
16gVf/QrA
4. no other user except the root user is allowed to access the user table in the mysql primary database; d5-_ * N ~
$ JHdT
Once the encrypted user password stored in the user table is disclosed, other users can use the user name/password to access the database; 'F ~ 2zic
V % <# e d [
5. use the grant and revoke statements for user access control;, ^ IE} */(Y
KaYu-
6. do not use the plaintext password, but use md5 () and sha1 () to set the password. zX0 86h_y
R3M; mESJ
7. do not use words in the dictionary as the password; Pjkh [W0Ox
Z '[[? @
8. use A firewall to remove 50% of external risks, so that the database system can work behind the firewall or be placed in the DMZ area. A [_ Y-^ R
(+ Qj + bRF2 [
9. you can use nmap to scan Port 3306 over the Internet. you can also use telnet server_host 3306 to test the function. you cannot access port 3306 of the database server from a untrusted network, therefore, you need to set the firewall or vro; Q. "_ qk | jv
TLX $?
10. to prevent malicious input of Illegal parameters, for example, where ID = 234, others enter where ID = 234 OR 1 = 1 to display all of them, therefore, use ''or" "in web forms to use strings. add % 22 to dynamic URLs to indicate double quotation marks, % 23 to indicate the well number, and % 27 to indicate single quotation marks; it is very dangerous to pass unchecked values to the mysql database. ^ kNjMI \ | k
Y 11. check the size when passing data to mysql. $ 8R9vqCM
JJVCA 'Hi
12. the general user account should be used for connecting applications to the database, and only a few necessary permissions should be granted to the user; Eco | n: Fb
Ua ~ Og \ T
13. use the specific 'escape characters' function in each programming interface (C ++ PHP Perl Java JDBC, etc ;? J "S nT # e
V (vt =
When using mysql databases over the Internet, you must transmit less plain text data, but use SSL and SSH encryption for data transmission;. FcL * p $
"Wk-* 2
14. learn to use tcpdump and strings tools to view the security of transmitted data, such as tcpdump-l-I eth0-w-src or dst port 3306 | strings. Start the mysql database service as a common user. XnM! Y1 &
M = C> P + e
15. do not use the joined symbols of the table. the selected parameters are skip-symbolic-links and JYLWY/T.
Ir (3 y
16. make sure that only the user who starts the database service can have the read and write permissions on the file in the mysql directory. y-* D -~ 0 P
1rTy? 9
17. do not grant process or super permissions to non-administrator users. the mysqladmin processlist can list the query text currently executed; the super permission can be used to disconnect the client, change the running parameter status of the server, and control the server that copies and copies the database; 63o "{B
BAX x/\ <
18. the file permission is not paid to users other than the administrator, preventing the problem of loading data '/etc/passwd' to the table and then displaying it with select; s o | Mp
\. & Y
19. if you do not trust the services of the DNS service company, you can set only the IP address (s *) And TpH tey in the host name table.
4Tf + dM "v
20. use the max_user_connections variable to enable the mysqld service process to limit the number of connections to a specified account; uKDbU "JC
^ &.~ TDg
21. The grant statement also supports resource control options; Df hPdm-gg
S $ X} dL *&
22. start the security option switch of the mysqld service process. -- local-infile = 0 or 1 if it is 0, the client program cannot use local load data. An example of granting permissions is grant insert (user) on mysql. user to 'user _ name' @ 'host _ name'; if you use -- skip-grant-tables, the system will not control access to any user, however, you can use mysqladmin flush-privileges or mysqladmin reload to enable access control. by default, the show databases statement is open to all users. you can use -- skip-show-databases to disable it. Rp "B & wdR
Y * O) 'z
23. when an Error occurs in Error 1045 (28000) Access Denied for user 'root' @ 'localhost' (Using password: NO), you need to reset the password: start mysqld with the -- skip-grant-tables parameter, and then execute mysql-u root mysql, mysql> update user set password = password ('newpassword') where user = 'root '; mysql> Flush privileges; and then restart mysql.