How to configure the security of the MySQL server?

In practice, we need to configure the security of the MySQL server to use the MySQL database more securely. The configuration files are also different because of Chroot. If you encounter similar situations in actual operations, but you do not know how to solve them correctly, so the following articles must be good teachers and friends for you.

1. Disable remote connection

First, disable port 3306, which is the default listening port of MySQL. MySQL only serves local scripts, so remote connection is not required. Although the built-in security mechanism of MySQL is very strict, listening to a TCP port is still dangerous, because if the MySQL program itself has problems, unauthorized access can bypass the built-in security mechanism of MySQL. The method to disable network listening is very simple. In the [mysqld] section of the/chroot/mysql/etc/my. cnf file, remove "#" before # skip-networking.

When the network is closed, how does a local program connect to the MySQL database? Local programs can be connected through mysql. sock, which is faster than network connections. I will discuss the specific situation of mysql. sock later.

MySQL backup is usually performed using SSH.

2. Prohibit MySQL from importing local files

The following statement prohibits MySQL from using the "load data local infile" command. This command uses MySQL to read local files to the database, and then the user can obtain sensitive information illegally.

To disable the preceding command, add the following statement to the [mysqld] section of the/chroot/mysql/etc/my. cnf file:

 

 
 

  
  
set-variable=local-infile=0 
 
 

For ease of management, MySQL management commands such as mysql, mysqladmin, and mysqldump in the system usually use the/etc/my. cnf file of the system. If you want to connect to the mysql server, it will look for the/tmp/MySQL. sock file to try to connect to the MySQL server, but the connection here is the mysql server under the chroot. There are two solutions: one is to add -- socket =/chroot/mysql/tmp/mysql. sock after the management command. For example:

 

 
 

  
  
#/usr/local/mysql/bin/mysql -root -p --socket=/chroot/mysql/tmp/mysql.sock 
 
 

Add socket =/chroot/mysql/tmp/mysql. sock to the [client] section of/etc/my. cnf. Obviously, the second method is much more convenient.

3. Modify the root user ID and password of MySQL

 

 
 

  
  
#chrootuid /chroot/mysql mysql /usr/local/mysql/libexec/mysqld &  
  
  
#/usr/local/mysql/bin/mysql -uroot  
  
  
.......  
  
  
mysql>SET PASSWORD FOR root@localhost=PASSWORD('new_password'); 
 
 

Try to develop the habit of entering the password in mysql, because it may be seen by others when entering the password in Shell.

 
 

  
  
mysql>use mysql;  
  
  
mysql>update user set user="wghgreat" where user="root";  
  
  
mysql>select Host,User,Password,Select_priv,Grant_priv from user;  
  
  
mysql>delete from user where user='';  
  
  
mysql>delete from user where password='';  
  
  
mysql>delete from user where host='%';  
  
  
mysql>drop database test; 
 
 

Change to an ID that is not easy to guess:

 

 
 

  
  
mysql>flush privileges;  
  
  
mysql>quit; 
 
 

4. Delete historical Command records

These historical files include ~ /. Bash_history ,~ /. Mysql_history. If you open them, you will be surprised. How come there are some Plaintext Passwords here ?!

 

 
 

  
  
#cat /dev/null > ~/.bash_history  
  
  
#cat /dev/null > ~/.mysql_history 
 
 

Communication between PHP and MySQL

By default, PHP uses/tmp/mysql. sock communicates with MySQL, but a major problem here is that MySQL does not generate it, but/chroot/mysql/tmp/mysql. sock. The solution is to establish a connection:

 

 
 

  
  
#ln /chroot/mysql/tmp/mysql.sock /tmp/mysql.sock 
 
 

Note: Since hard links cannot be used between partitions in the file system, the connection must be in the same partition. The above content is an introduction to configuring the MySQL server. I hope you will have some gains.