How to make MySQL secure against decryption master _ MySQL
Source: Internet
Author: User
When you connect to a MySQL server, you should usually use a password. The password is not transmitted in plain text on the connection. All other information is transmitted as text that can be read by anyone. If you are worried about this, you can use the compression protocol (MySQL3.22 and later) to make things more difficult. Even to make everything safer, you should install ssh (see www. cs. hut. fi. when you connect to a MySQL server, you should usually use a password. The password is not transmitted in plain text on the connection.
All other information is transmitted as text that can be read by anyone. If you are worried about this, you can use the compression protocol (MySQL3.22 and later) to make things more difficult. Even to make everything safer, you should install ssh (see http://www.cs.hut.fi/ssh ). With it, you can get an encrypted TCP/IP connection between a MySQL server and a MySQL client.
To ensure the security of a MySQL system, you are strongly advised to consider the following suggestions:
Use passwords for all MySQL users. Remember, if other_user does not have a password, anyone can simply use mysql-u other_user db_name to log on as any other person. For client/server applications, it is common for customers to specify any user name. Before you run it, you can edit the mysql_install_db script to change the passwords of all users, or just the MySQL root password, as shown in the following code:
Shell> mysql-u root mysql
Mysql> UPDATE user SET Password = PASSWORD ('New _ password ')
WHERE user = 'root ';
Mysql> flush privileges;
Do not run the MySQL daemon as a Unix root user. Mysqld can run as any user, and you can create a new Unix user mysql to make everything safer. If you run mysqld as another Unix user, you do not need to change the root user name in the user table because the MySQL user name has nothing to do with the Unix user name. You can edit the mysql. server startup script mysqld as other Unix users. This is usually done using the su command. For more details, see how 18.8 runs MySQL as a common user.
If you put a Unix root user password in the mysql. server script, make sure that the script is only readable to the root user.
Check that the Unix User running mysqld is the only user with read/write permissions under the Database Directory.
Do not grant the process permission to all users. The output of mysqladmin processlist shows the current query body. if another user sends an UPDATE user SET password = PASSWORD ('not _ secure ') query, any user allowed to execute that command may be able to see it. Mysqld retains an additional connection for a user with the process permission so that a MySQL root user can log on and check it even if all normal connections are in use.
Do not grant the file permission to all users.
Any user with this permission can write a file in the file system with the mysqld daemon permission! To make this safer, all files generated using SELECT... into outfile are readable to everyone, and you cannot overwrite existing files.
The file permission can also be used to read any files that can be accessed by Unix users who are running servers. This may be abused. for example, LOAD "/etc/passwd" into a database table by using load data, and then it can be read using SELECT.
If you do not trust your DNS, you should use IP numbers instead of host names in the authorization table. In principle, the -- secure option should make the host name safer for mysqld. In any case, you should be very careful when using a host name that contains wildcards.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.