Security management: MySQL common security tips

Welcome to the network security forum and interact with 3 million technical staff. MySQL is one of the most popular databases for DBAs. ease of use and high performance are the symbols of MySQL databases. However, the high popularity of MySQL makes MySQL the target of many malicious personal and organizational attacks. The installed MySQL by default has a major security risk, especially the vacancy and slowness of the root password.

Welcome to the network security forum, and interact with 3 million technical staff> MySQL is one of the most popular databases for DBAs. ease of use and high performance are the marks of MySQL databases. However, the high popularity of MySQL makes MySQL the target of many malicious personal and organizational attacks. The installed MySQL by default has a major security risk, especially the vacancy and slowness of the root password.

Welcome to the network security forum and interact with 3 million technical staff> enter

MySQL is one of the most popular databases by DBAs. ease of use and high performance are the marks of MySQL databases. However, the high popularity of MySQL makes MySQL the target of many malicious personal and organizational attacks. By default, the installed MySQL has a major security risk, especially the potential vulnerabilities of Root Password vacancies and buffer overflow, making it the most vulnerable to attacks. In this article, we will introduce some simple and effective methods to enhance database security to defend against local and remote attacks.

　Common security Behaviors

As a DBA, security-related work should be carried out in the following three aspects:

Patch

Restrict Access

Avoid collecting useful information

The rest of this article will discuss the above three actions in detail and focus on the restricted access to networks, operating systems, and database servers.

Security Patch

Although everyone tries their best to protect data, there will always be vulnerabilities that can be exploited. The database supplier checks vulnerabilities that cause problems and provides corresponding vulnerability patches.

One of the best places to find related security patches for MySQL is the official Oracle website. You need to visit the MySQL Forum frequently and pay attention to relevant trends. They are usually the first place where security alerts are issued.

Prevent access to the system

Note the following four main sources:

● Network Access

● Direct access to the database

● Backup access

● Access to the operating system, including data and log files

Each of the preceding items has its own challenges and solutions:

Network Access

If your LAN or WAN is not secure, you need to encrypt the network connection between the server and the client. Can unauthorized users obtain access permissions to privileged user accounts (such as root) in some way? They can use tcpdump-like tools to sniff network streams sent to MySQL and filter packets. These packets will contain queries and data.

By default, MySQL is configured with optimal performance. Therefore, all connections are not encrypted unless you manually set the connection. Generally, the SSL protocol is used to encrypt all data sent between the MySQL client and the server.

MySQL can be encrypted based on each connection, so you can choose to use non-encrypted connections or secure encrypted SSL connections based on the needs of each application.

Database Access

For hackers, one of the primary potential entry points is the root account. Therefore, password resetting and ID rename are crucial.

... When you get a MySQL installed by default, the first thing you need to do is to set a password for the root user.

$ Mysqladmin-u root password NEWPASSWORD

Once the password is set, change "root" to another name, which improves security. A hacker prefers to target a root user on a MySQL server because of his/her super user identity and known user identity. By changing the root user name, it will make it more difficult for hackers to launch successful attacks. You can use the following commands to rename a "root" User:

Mysql> rename user root TO new_user;

In addition, it is critical to keep the number of super users at the minimum absolute level to control the database. Too many super accounts have hidden risks. In fact, you may lose a lot of things if you are not careful about key data.

There is an account type that DBAs love, that is, read-only users. This is the best type of account, because the user holding it cannot actually damage the database or its data. Generally, users create reasons to explain why they need write permissions. The touchstone for determining whether a specific permission has its real value is to simply remove it to some extent, and then observe whether there are complaints. It would be better if nothing happens. In my experience, only a few users desire permissions. The remaining users do not need additional permissions. In fact, I do not advocate deceiving your customers by disabling user permissions. What I want to explain is to correctly analyze the user's working model. Some tasks can be easily completed through simple quality audit.

Backup access

Ideally, as long as the backup is stored offline, the backup will not be affected when the master site fails. In addition, all the steps to protect your database server network are also applicable to the backup system. There are some good software models that can encrypt your data. Therefore, even if a backup file is unlikely to fall into the hands of others, its content is useless for hackers.

Here is an encryption function written in PHP, which uses the "rijndael-256" Model:

Public function encrypt ($ msg, $ k, $ base64 = false ){

If (! $ Td = mcrypt_module_open ('rijndael-100', '', 'ctr','') return false;

$ Msg = serialize ($ msg );

$ Iv = mcrypt_create_iv (32, MCRYPT_RAND );

If (mcrypt_generic_init ($ td, $ k, $ iv )! = 0) return false;

$ Msg = mcrypt_generic ($ td, $ msg); # encrypt

$ Msg = $ iv. $ msg; # prepend iv

$ Mac = $ this-> pbkdf2 ($ msg, $ k, 1000, 32); # create mac

$ Msg. = $ mac; # append mac

Mcrypt_generic_deinit ($ td); # clear buffers

Mcrypt_module_close ($ td); # close cipher module

If ($ base64) $ msg = base64_encode ($ msg );

Return $ msg;

}

Access to the Operating System

Local Operating Systems can use authentication, firewall, and other anti-virus software for joint protection. Other access control mechanisms include user name and password policies, managed group policies (GPO), and filtering specific access objects.

Oracle has good online resources for reference.

　Conclusion

There are various methods to protect MySQL data. In this article, we only introduce some basic methods. In an endless battle, it is impossible to protect the database from attacks once and for all. On the contrary, you must always be vigilant and ensure that you are familiar with the latest security vulnerabilities and corresponding countermeasures. Remember, creating the safest database in the world is not your goal. You only need to make enough effort by hackers to break your database, in this way, hackers will turn to targets that are more vulnerable to attacks.