Summary of MySQL configuration and security hardening under Windows

Summary of MySQL configuration and security hardening under Windows

In the actual use of the network management, MySQL database in the installation of the configuration and security hardening content, in the customer gradually increased demand. From the question of feedback, it is generally by the third-party software company software scanning the entire system, MySQL related content does not meet the requirements of the test must not pass. Automatic detection of the software, the main use of two types of judgment: first, according to MySQL official information to determine whether the current version of a known serious bug; second, enter the MySQL database, by executing various query commands, check the corresponding function switch is open. For the first one, we need to update the current version from the official MySQL website to resolve; the second, because the current popular MySQL reinforcement is in the Linux\unix system, and the operation of the Windows system is different, so need to consult with inspectors, Using the operating mode under Windows, to achieve the purpose of security hardening.

The MySQL database in this document is based on the Mysql-5.5.33-win32.msi version.

1. Network Management related

Background information

The modified content of network management is to improve the performance of network management. This part of the content of CS network has practical significance, ezview in use even if not added, there has been no exception. However, when recovering CS data, it is necessary to increase this part of the content, otherwise it is possible that the data recovery is incomplete.

This part is actually not related to the security hardening content.

Operation Steps

To modify the My.ini file under the MySQL installation path (for example, C:\Program files\mysql\mysql Server 5.5), add the following information at the end of the file:

Skip-name-resolve

back_log=200

innodb_file_per_table=1 innodb_file_format= ' Barracuda '

Field interpretation

Skip-name-resolve

--This is "Disable DNS reverse resolution" to eliminate the time of MySQL DNS resolution, in order to improve the remote connection speed of MySQL;

back_log=200

-This is the number of requests that can be stored in the stack for a short period of time before MySQL temporarily stops responding to a new request;

Innodb_file_per_table=1

--This item modifies InnoDB as a standalone tablespace pattern, and each table in each database generates a data space;

innodb_file_format= ' Barracuda '

--the entry is set to InnoDB file type Barracuda

The latter two functions are to enable the compression format, to tighten the size of the database table.

2. Security Hardening Background information

This part of the content is mainly through the Shenzhen Mobile test feedback content to summarize, mainly related to users, permissions, logs, remote and so on.

Here's how the MySQL command line enters.

After installing MySQL completely in accordance with the operating manual, enter the following command at the cmd command line to enter the local MySQL:

Mysql-u root-p

Enter the password and return to it.

Log on to the remote host for MySQL and enter the following command:

Mysql-h 172.18.10.160-u Root-p

Enter the password and return to it.

Or go to "Start > All Programs >mysql>mysql Server 5.5>mysql 5.5 Command line Client", enter the root user password to return.

Hardened content 2.1 Mysql root user's password

The password must not be used in the security hardening Test root! In the current installation manual, the default is "admin_123456".

The hardening test checks to see if the password is empty or weak.

MySQL command line to modify the root user password method:

mysql> Update user Set Password=password (' Test!p3 ') where user= ' root '; mysql> flush Privileges;

2.2 Preventing file Injection

description : MySQL default is to allow file injection.

For example, in the MySQL command line input load data local infile ' D:\pet.txt ' into table tmp;

This command means that the local D disk of the Pet.txt file is written to the table TMP, using this function can do a lot of things, interested can be studied under.

Workaround :

Last added in My.ini

Local_infile=0

Save the file and restart the MySQL service.

Verification Method :

Lose the command again. An error message indicates that the setting was successful.

mysql> LOAD DATA LOCAL INFILE ' D:\pet.txt ' into TABLE TMP;

ERROR 1148 (42000): The used command is not allowed with this MySQL version

2.2 Log output

Description : MySQL is actually the default error log file output, the default is in the Data folder, the default path C:\Documents and Settings\All Users\Application Data\mysql\ MySQL Server 5.5\data.

Typically named after the hostname, the suffix is. Err.

Safety hardening requirements generally require the following types of logs: query log, error log, binary log, update log, slow query log.

In MySQL version 5.0 and above, the binary log replaces the update log.

Workaround :

In My.ini, add the following fields last:

Log=c:\documents and Settings\All Users\Application Data\mysql\mysql Server 5.5\data\log.log

Log_err=c:\documents and Settings\All Users\Application Data\mysql\mysql Server 5.5\data\err.log

Log_bin=c:\documents and Settings\All Users\Application Data\mysql\mysql Server 5.5\data\binary.bin

Log_slave_updates=1

long_query_time=2

Log_slow_queries=c:\documents and Settings\All Users\Application Data\mysql\mysql Server 5.5\data\slowqueries.log

The path to the Blue section and the name of the file are all customizable. If none are filled in, the system will be placed under the default path with the default name.

Save the file and restart the MySQL service.

Field Description :

log: Query Log

Log_err : Error Log

Log_bin: Binary Log

log_slave_updates: need to enable binary logging before it takes effect, involving master-slave MySQL , are interested in self-examination.

Long_query_time : Long query time standard, unit seconds.

log_slow_queries : Slow query log.

Verification Method:

Query \ Error \ Slow query log, which automatically generates. log files after a restart. Binary logs,

For example, Binary.bin actually generates Binary.index and binary.0000001 files, and each time the MySQL service starts or the flush logs automatically generates an ordinal +1 file.

The method of security monitoring is actually to check the existence of the corresponding field in MySQL. You can enter the following command in MySQL self-examination (two pictures are filled in the path and the case of the path is not filled):

2.3 Maximum number of connections

Note : In fact, after installing the MySQL Setup interface, you can set the maximum number of connections, but the actual operation found that even if set to 1000, enter the My.ini found Max_connections value is not 1000. So it is possible that the item is not in compliance with the safety test.

Workaround:

Change the max_connections= value in My.ini to 1000, save the file, and restart the MySQL service.

Verification Method:

This command can be used on the MySQL command line to verify

2.4mysql operating System User issues//http://www.pprar.com

Description: security hardening requires that the server's host cannot be the highest-privileged user (administrator) to operate MySQL, typically a user who specializes in MySQL, except for MySQL-related files with full permissions. Other files cannot be manipulated. Linux\unix system processing more convenient, such as a new Mysqluser user, in the my.cnf file mysqld input User=mysqluser can be, in addition to mysqluser this user can start the MySQL service, Even the root user cannot start MySQL. Operating under Windows is a little more complicated.

Workaround:

Create a new low-privileged user MySQL to enable MySQL users to run the MySQL service.

Create a new system user MySQL, for example, to have MySQL have only the Guest user group permission.

My Computer right > Admin > Local Users and Groups, new user MySQL, set password Admin123, right-click Properties > member of Guest.

Add permissions to the MySQL user in the installation path and data storage path of the MySQL program.

Go to Control Panel > Administrative Tools > Services, right-click on the MySQL service properties > login, select this account, enter the account password. Click OK to save.

Log in with a MySQL account to run the MySQL service under a low-privileged account.

2.5mysql Database User Issues

Description: The general check whether there are anonymous users, the maximum rights of the user has several, whether you can create a new account. Install according to the installation instructions, generally do not have an anonymous account, if you set the root password interface check the Enable root access from remote machines, then execute the command select User,host from Mysql.user; You will find two root users, root%, and root localhost.

Workaround:

Anonymous account : MySQL command line input select User,host from Mysql.user; View the user to see if there is a user with a blank user name.

To delete an anonymous account, you can use the following command:

Mysql>use MySQL; Mysql>delete from user where user = '; mysql> flush Privileges;

users with the highest privileges : CS Network must have root user. Ezview Network management can not use root user, for this project needs users can install MySQL, enable root access from remote machines not checked.

The installation is complete and can be executed by command line to remove root% user.

It is generally not recommended to remove the root user, preferably set up at the time of installation, or it may affect the reconfiguration of MySQL.

Create a new account : Log in with the root localhost user and create a new user.

If the execution succeeds, the prompt is as follows.

Verification Method : Enter the following command

Log in to MySQL with a new user.

Additional Instructions:

If you use the new user to operate the network management, you can give the user only the highest hisysdb privileges, and avoid the operation of other databases on the server.

Flush privileges; command is necessary, after refreshing the permissions, Dbtool can log in with the new account.

in order to ensure the use of network management, modify Release\server\profile Path under Datasource.xml file, the user name is set by the Root change to new user , as Pppadmin .

Property name= "username" value= "root"/> Note: There are two places to change the document value the value.

It is not a problem to initialize the database.

2.6 Restricting remote connections

description : In the earlier MySQL version and Linux\unix system, enter skip_networking directly in the My.ini or MY.CNF, save the reboot. This approach restricts MySQL to only local access, and it prohibits TCP ports from being accessed by pipe. Security hardening Test This does not pass, generally in the My.ini is not configured in the content, but under Windows use this way, the MySQL service can be started, but the Ezview network management will not be able to use.

Workaround :

MySQL provides new restrictions only on local access methods, and finally adds the following fields in My.ini:

bind-address=127.0.0.1

Save the file and restart the MySQL service.

Verification Method:

You can use root% user, or create a new account with host not localhost to log on to MySQL server to see if it can be successful.

For example:

Before adding bin-address, from other hosts within the LAN, such as 172.18.10.160 can be ordered by

Mysql–h 172.18.10.83–u root–p access to MySQL on the 172.18.10.83 host,

After adding bind-address=127.0.0.1, restart the service

Using the same command again, you will be prompted to fail the login.

Summary of MySQL configuration and security hardening under Windows