In daily work, how to protect important MySQL data from unauthorized users is a special concern of system administrators. If you are currently using MySQL, you can use some convenient functions to protect the system, greatly reducing the risk of unauthorized access to confidential data.
The most valuable asset of an enterprise is usually the customer or product information in its database. Therefore, an important part of database management in these enterprises is to protect the data from external attacks and repair software/hardware faults.
In most cases, hardware and software faults are handled through the data backup mechanism. Most databases use built-in tools to automatically complete the entire process, so this work is relatively easy and will not go wrong. But the troubles come from the other side: preventing external hackers from intruding into and stealing or damaging information in the database. Unfortunately, there are generally no automatic tools to solve this problem. In addition, administrators need to manually set obstacles to block hackers and ensure the security of company data.
The common reason for not protecting the database is that the work is "complicated" due to the "trouble ". This is true, but if you use MySQL, you can use some convenient features to significantly reduce the risks. The following functions are listed:
◆ Delete wildcards in the authorization table
The MySQL access control system runs through a series of so-called Authorization tables to define user access rights at the database, table, or column level. However, these tables allow administrators to set a package license for a user or a set of tables that apply wildcards. This may pose a potential danger because hackers may use a restricted account to access other parts of the system. For this reason, exercise caution when setting user privileges to ensure that users can only access the content they need. Be especially careful when setting super privileges for individual users, because this level allows common users to modify basic server configurations and access the entire database.
Suggestion: show privileged commands to each user account to review the authorization table and check whether the application wildcard license is appropriate.
◆ Require a secure password
The security of user accounts is closely related to the passwords used to protect them. Therefore, when installing MySQL, set the password of the MySQL root account (empty by default ). After the vulnerability is fixed, each user account should be asked to use a password and do not use heuristic passwords that are easy to recognize, such as birthdays, usernames, or words in the dictionary.
Suggestion: Use the MySQL-Security-authorization option to avoid using the old and unsecure MySQL password format.
◆ Check the configuration file license
In general, to make the server connection more convenient, a single user and the server administrator must store their user account and password in the single-user MySQL option file. However, this password is stored in files in plain text format and can be easily viewed. Therefore, you must ensure that such a single user configuration file is not checked by other users in the system and stored in a non-public location. Ideally, you want the configuration file of a single user to be saved in the root directory of the user. the license is 0600.
◆ Encrypt data transmission between customers and servers:
An important issue of the MySQL (and other) customer and server architecture is the security issue when data is transmitted over the network. If the interaction between the customer and the server occurs in plain text, the hacker may "sniff" the transmitted data packets to obtain confidential information. You can activate SSL in the MySQL configuration, or apply a security application such as OpenSSH to establish a secure encrypted "channel" for the transmitted data to close this vulnerability. Encrypting the connection between the customer and the server in this form makes it extremely difficult for unauthorized users to access the data.
◆ Remote access prohibited
If you do not need to remotely access the server, you can force all MySQL connections to be completed through UNIX slot files, thus greatly reducing the risk of network attacks. This process can be completed by skipping the network option to start the server. This prevents TCP/IP networks from connecting to MySQL and ensures that no user can connect to the system remotely.
Suggestion: you can add the bind address 127.0.0.1 command in the MySQL server configuration to enhance this function, forcing MySQL to bind the IP address of the local machine to ensure that only users in the same system can connect to MySQL.
◆ Actively monitors MySQL access records
MySQL contains many different log files that record customer connection, query, and server errors. Among them, the most important is the general query log, which uses time labels to record the connection and interruption time of each customer, and records each query executed by the customer. If you suspect unusual behavior, such as network intrusion, it is a good way to monitor this log to understand the sources of behavior.
Protecting your MySQL database is a daily task. Therefore, even after completing the above steps, you still need to take more time to learn more security suggestions, actively monitor and update your system security.