How to securely apply MySQL _ MySQL

Source: Internet
Author: User
Tags mysql manual mysql backup
How to securely use MySQL has become one of the most widely used databases on the network. especially for Web applications, MySQL occupies the absolute advantage of small and medium applications. All of this comes from its small and easy-to-use, secure and effective, open license, and multi-platform. What's more, it works perfectly with PHP, one of the three major Web languages.
  
However, unfortunately, a default and secure MySQL server will be vulnerable to overflow due to an empty root password and a program vulnerability, making the MySQL server frequently attacked. More seriously, the database is often damaged after being attacked, which may cause disastrous consequences. The following describes how to protect data.
  
Environment requirements
1. system environment
  
There is a Red Hat Linux 9.0 custom installation server. The system has installed GCC and some software packages, such as Apache and PHP. The first thing after installing the system is to upgrade the system software package. As a Web server, the system accepts requests from PHP scripts, and PHP uses the MySQL database to be installed below as the contact for dynamic release.
  
The requirements for partitioning are similar to those for General Systems. The only difference is that the/chroot and/tmp created later must be in the same partition.
  
2. security requirements
  
(1) MySQL runs in an independent (Chroot) environment;
  
(2) the mysqld process runs in an independent user/user group. The user and user group have no root directory, Shell, or other programs;
  
(3) modify the root account of MySQL and use a complex password;
  
(4) only allow local connection to MySQL. The network connection is disabled when MySQL is started;
  
(5) ensure that the nobody account used to connect to MySQL is disabled;
  
(6) delete the test database.
  
Install MySQL
1. installation preparation
  
Before installing MySQL, create a user and group to start MySQL according to the preceding security requirements.
  
# Groupadd mysql
  
# Useradd mysql-c "start mysqld's account"-d/dev/null-g mysql-s/sbin/nologin
  
2. Compile and install
  
Download the MySQL source code package:
  
# Wget http://mysql.he.net/Downloads/MySQL-4.0/mysql-4.0.16.tar.gz
  
Decompress:
  
# Tar-zxvf mysql-4.0.16.tar.gz
  
Generally, MySQL is installed in/usr/local/mysql. you can adjust it if you have special requirements. However, this is of little significance, because Chrooting will be used later, and then only the customer tools here will be used, such as mysql, mysqladmin, and mysqldump. Compile and install the SDK.
  
#./Configure -- prefix =/usr/local/mysql
-- With-mysqld-user = mysql
-- With-unix-socket-path =/tmp/mysql. sock
-- With-mysqld-ldflags =-all-static
  
# Make & make install
  
# Strip/usr/local/mysql/libexec/mysqld
  
# Scripts/mysql_install_db
  
# Chown-R root/usr/local/mysql
  
# Chown-R mysql/usr/local/mysql/var
  
# Chgrp-R mysql/usr/local/mysql
  
The specific functions of the above steps have been described in the MySQL Manual. The only difference between the steps and general steps is -- with-mysqld-ldflags =-all-static. Because the Chroot environment is required, MySQL itself does not need to create any database environments after it is connected to a static environment.
  
3. configure and start
  
MySQL configuration files must be manually selected and copied to/etc. these template files are located in the support-files directory of the source file. There are four in total: small, medium, large, and huge.
  
# Cp support-files/my-medium.cnf/etc/my. cnf
  
# Chown root: sys/etc/my. cnf
  
# Chmod 644/etc/my. cnf
  
Start MySQL. Note that the user is mysql:
  
#/Usr/local/mysq/bin/mysqld_safe -- user = mysql &
  
4. test
  
To test whether the installed program is correct and whether MySQL has been started properly, the best way is to use the MySQL client to connect to the database.
  
#/Usr/local/mysql/bin/mysql
  
[Root @ ftp bin] # mysql
  
Welcome to the MySQL monitor. Commands end with; or g.
  
Your MySQL connection id is 687 to server version: 3.23.58
  
Type 'help; 'or 'H' for help. Type 'C' to clear the buffer.
  
Mysql>
  
Mysql> show databases;
  
+ -------------- +
  
Database
  
+ -------------- +
  
Mysql
  
Test
  
+ -------------- +
  
2 rows in set (0.00 sec)
  
Mysql> quit
  
If the connection is successful, you can close the database:
  
#/Usr/local/mysql/bin/mysqladmin-uroot shutdown
  
If the connection fails, you need to carefully analyze the cause of the error:
  
# More/usr/local/mysql/var/'hostname'. err
  
Chrooting
  
1. Chrooting environment
  
Chroot is a Unix/Unix-like method. its establishment will completely isolate it from the main system. That is to say, once a problem occurs, it will not endanger the running main system. This is a very effective method, especially when configuring network service programs.
  
2. Chroot preparation
  
First, we should establish a 1-display directory structure:
  
# Mkdir-p/chroot/mysql/dev
  
# Mkdir-p/chroot/mysql/etc
  
# Mkdir-p/chroot/mysql/tmp
  
# Mkdir-p/chroot/mysql/var/tmp
  
# Mkdir-p/chroot/mysql/usr/local/mysql/libexec
  
# Mkdir-p/chroot/mysql/usr/local/mysql/share/mysql/english
  
");
Then set the directory permissions:
  
# Chown-R root: sys/chroot/mysql
  
# Chmod-R 755/chroot/mysql
  
# Chmod 1777/chroot/mysql/tmp
  
3. copy mysql programs and files to the chroot directory.
  
# Cp-p/usr/local/mysql/libexec/mysqld/chroot/mysql/usr/local/mysql/libexec/
  
# Cp-p/usr/local/mysql/share/mysql/english/errmsg. sys
  
/Chroot/mysql/usr/local/mysql/share/mysql/english/
  
# Cp-p/etc/hosts/chroot/mysql/etc/
  
# Cp-p/etc/host. conf/chroot/mysql/etc/
  
# Cp-p/etc/resolv. conf/chroot/mysql/etc/
  
# Cp-p/etc/group/chroot/mysql/etc/
  
# Cp-p/etc/passwd/chroot/mysql/etc/passwd
  
# Cp-p/etc/my. cnf/chroot/mysql/etc/
  
4. edit the passwd and group files under chroot.
  
# Vi/chroot/etc/passwd
  
To open the passwd file, delete all rows except mysql, root, and sys.
  
# Vi/chroot/etc/group
  
To open the group File, delete all lines except mysql and root.
  
5. create a special device file/dev/null
  
Just follow the system instructions:
  
# Ls-al/dev/null
  
Crw-rw-1 root 1, 3 Jan 30 2003/dev/null
  
# Mknod/chroot/mysql/dev/null c 1 3
  
# Chown root: root/chroot/mysql/dev/null
  
# Chmod 666/chroot/mysql/dev/null
  
6. copy the mysql database file to the chroot directory.
  
# Cp-R/usr/local/mysql/var // chroot/mysql/usr/local/mysql/var
  
# Chown-R mysql: mysql/chroot/mysql/usr/local/mysql/var
  
7. install the chrootuid program
  
Download the chrootuid and install it with RPM.
  
Http://rpm.pbone.net/index.php3/stat/4/idpl/355932/com/chrootuid-1.3-alt2.i586.rpm.html
  
8. test MySQL configuration in the Chroot environment
  
# Chrootuid/chroot/mysql/usr/local/mysql/libexec/mysqld &
  
If the chroot directory fails, pay attention to the permission issues.
  
9. test the connection to MySQL under chroot.
  
#/Usr/local/mysql/bin/mysql -- socket =/chroot/mysql/tmp/mysql. sock
  
.......
  
Mysql> show databases;
  
Mysql> create database wgh;
  
Mysql> quit;
  
# Ls-al/chroot/mysql/var/
  
.......
  
Configuration Server
To use MySQL more securely, you need to configure the security of the MySQL database. The configuration files are different for Chroot reasons.
  
1. disable remote connection
  
First, disable Port 3306, which is the default listening port of MySQL. MySQL only serves local scripts, so remote connection is not required. Although the built-in security mechanism of MySQL is very strict, listening to a TCP port is still dangerous, because if the MySQL program itself has problems, unauthorized access can bypass the built-in security mechanism of MySQL. The method to disable network listening is very simple. in the [mysqld] section of the/chroot/mysql/etc/my. cnf file, remove "#" before # skip-networking.
  
When the network is closed, how does a local program connect to the MySQL database? Local programs can be connected through mysql. sock, which is faster than network connections. I will discuss the specific situation of mysql. sock later.
  
MySQL backup is usually performed using SSH.
  
2. prohibit MySQL from importing local files
  
The following statement prohibits MySQL from using the "load data local infile" command. This command uses MySQL to read local files to the database, and then the user can obtain sensitive information illegally.
  
To disable the preceding command, add the following statement to the [mysqld] section of the/chroot/mysql/etc/my. cnf file:
  
Set-variable = local-infile = 0
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.