How to securely configure and apply MySQL databases?
Source: Internet
Author: User
KeywordsMySQL security
MySQL has become one of the most widely used databases in the current network, especially in Web applications, which occupy the absolute advantage of small and medium applications. It all stems from its compact, safe, efficient, open licensing and multi-platform, and, more important, the perfect combination of--php with one of the three web languages. Unfortunately, a default installation of MySQL, because the root password is empty and the program vulnerabilities caused by the overflow, so that the installation of MySQL server is a frequent target. More seriously, the database is often destroyed after the attack, causing disastrous consequences. The following will enter the battle to protect the data. Environmental Requirements 1. The system environment has a red Hat Linux 9.0 custom installed server, the system installs GCC and some software packages, such as Apache, PHP and so on. The first thing to do after installing the system is to upgrade the system's software package. As a Web server, the system accepts requests for PHP scripts, and PHP uses the MySQL database that will be installed below as a dynamically released contact. The requirements for partitioning are similar to the general system, except that the/chroot and/TMP requirements are established on the same partition. 2. Security requirements (1) MySQL runs in a separate (Chroot) environment; (2) The MYSQLD process runs under a separate user/user group, which has no root directory, no shell, no use for other programs, and (3) modifies the MySQL root account. and use a complex password; (4) Only allow local access to MySQL, the network connection is banned when the MySQL is started, (5) The Nobody account login that is connected to MySQL is forbidden; (6) Delete test database. Install MySQL 1. Before installing MySQL, you need to create a user and group to start MySQL in accordance with the security requirements described above. #groupadd mysql#useradd mysql-c "Start mysqlds account"-d/dev/null-g mysql-s/sbin/nologin2. Compile and install download MySQL source code package: #wget http://mysql.he.net/Downloads/MySQL-4.0/mysql-4.0.16.tar.gz: #tar-zxvf mysql-4.0.16.tar.gz generally install MySQL under/usr/local/mysql, if there are special requirements, you can adjust. But it doesn't make much sense, because it's going to be chrooting, just use the client tools here, like Mysql,mysqladmin,mysqldUMP. Start compiling the installation below. #./configure--prefix=/usr/local/mysql \--with-mysqld-user=mysql \--with-unix-socket-path=/tmp/mysql.sock \ With-mysqld-ldflags=-all-static#make && make Install#strip/usr/local/mysql/libexec/mysqld#scripts/mysql_ Install_db#chown-r root/usr/local/mysql#chown-r mysql/usr/local/mysql/var#chgrp-r mysql/usr/local/ MySQL the specific role of the above steps in the MySQL manual has been introduced, the only need to explain, and the general steps of the different place lies in--with-mysqld-ldflags=-all-static. Because the chroot environment needs to be used, and MySQL itself is connected to static, there is no need to create some library environment. 3. Configuring and starting a MySQL profile requires manual selection, copying one of several template files to etc, which is located in the Support-files directory of the source file, a total of 4: SGT, Medium, SCM, huge. #cp support-files/my-medium.cnf/etc/my.cnf#chown root:sys/etc/my.cnf#chmod 644/etc/my.cnf boot MySQL, note that users are used for MySQL: #/ Usr/local/mysq/bin/mysqld_safe--user=mysql &4. The best way to test the correctness of the installed program and whether MySQL has been started is to use the MySQL client to connect to the database. #/usr/local/mysql/bin/mysql[root@ftp bin]# mysqlwelcome to the MySQL monitor. Commands End With; or \g.your MySQL connection ID is 687 to server Version:3.23.58type help; or h for help. Type \c to CLEAr the buffer.mysql>mysql> show databases;+--------------+| Database |+--------------+| MySQL | | Test |+--------------+2 rows in Set (0.00 sec) Mysql>quit connected successfully, you can close the database: #/usr/local/mysql/bin/mysqladmin-uroot Shutdown if the connection fails, you need to analyze the cause of the error carefully: #more/usr/local/mysql/var/' hostname '. Errchrooting 1. The chrooting environment chroot is a means of Unix-like unix/, which is almost completely isolated from the main system. That is, if something is wrong, it will not compromise the main system that is running. This is a very effective approach, especially when configuring network service programs. 2. Preparation of Chroot First, you should build the directory structure as shown in Figure 1: #mkdir-P/chroot/mysql/dev#mkdir-p/chroot/mysql/etc#mkdir-p/chroot/mysql/tmp#mkdir-p /chroot/mysql/var/tmp#mkdir-p/chroot/mysql/usr/local/mysql/libexec#mkdir-p/chroot/mysql/usr/local/mysql/share/ Mysql/english Then Set directory permissions: #chown-R root:sys/chroot/mysql#chmod-r 755/chroot/mysql#chmod 1777/chroot/mysql/tmp3. Copy the programs and files under MySQL to chroot #cp-P/usr/local/mysql/libexec/mysqld/chroot/mysql/usr/local/mysql/libexec/#cp-P/usr/ local/mysql/share/mysql/english/errmsg.sys/chroot/mysql/usr/local/mysql/share/mysql/english/#cp-P hosts/ chroot/mysql/etc/#cp-p/etc/host.conf/chroot/mysql/etc/#cp-P/etc/resolv.conf/chroot/mysql/etc/#cp-P/etc/group/chroot/mysql/etc/#cp- P/etc/passwd/chroot/mysql/etc/passwd#cp-p/ETC/MY.CNF/CHROOT/MYSQL/ETC/4. Edit chroot passwd files and group files #vi/chroot/etc/passwd the above command to open the passwd file, delete all but MySQL, root, sys all rows. #vi/chroot/etc/group This command to open the group file, delete all but MySQL, root all rows. 5. Create special device files dev refer to the system as follows: #ls-al/dev/nullcrw-rw-rw-1 Root 1, 3, 2003/dev/null#mknod/chroot/mysql/dev/ Null C 1 3#chown root:root/chroot/mysql/dev/null#chmod 666/chroot/mysql/dev/null6. Copy MySQL database file to chroot #cp-R/usr/local/mysql/var//chroot/mysql/usr/local/mysql/var#chown-r mysql:mysql/chroot/ Mysql/usr/local/mysql/var7. Install the CHROOTUID program to download the Chrootuid, and then the RPM installation. Http://rpm.pbone.net/index.php3/stat/4/idpl/355932/com/chrootuid-1.3-alt2.i586.rpm.html 8. Test the MySQL configuration under the chroot environment #chrootuid/chroot/mysql Mysql/usr/local/mysql/libexec/mysqld & if failed Please note the permissions issues under Chroot directory. 9. Test the MySQL #/usr/local/mysql/bin/mysql--socket=/chroot/mysql/under the connection chrootTmp/mysql.sock.......mysql>show databases;mysql>create database wgh;mysql>quit; #ls-al/chroot/mysql/var/ ....... Configuring the server for more secure use of MySQL, the MySQL database needs to be securely configured. The configuration file will also be different for chroot reasons. 1. To turn off remote connections first, you should turn off Port 3306, which is the default listening port for MySQL. Since MySQL serves only local scripts here, there is no need for remote connections. While MySQL's built-in security mechanism is strict, it is still risky to listen to a TCP port because unauthorized access can bypass MySQL's built-in security if the MySQL program itself is problematic. The way to turn off network sniffing is simple, in the [Mysqld] section of the/chroot/mysql/etc/my.cnf file, remove the "#" in front of the #skip-networking. Shut down the network, how does the local program connect the MySQL database? Local programs can be connected by mysql.sock faster than network connections. The following article will refer to the specific situation of mysql.sock. MySQL backups are usually performed using SSH. 2. Prevent MySQL from importing local files The LOAD DATA local INFILE command is prohibited in MySQL. This command will use MySQL to read local files to the database, and then users can illegally obtain sensitive information. To prohibit the above command, add the following statement to the [mysqld] section of the/chroot/mysql/etc/my.cnf file: set-variable=local-infile=0 in order to manage conveniently, the MySQL management commands in the system like MySQL , Mysqladmin, mysqldump, etc., are used in the system/etc/my.cnf files. If you want to connect, it will look for/tmp/mysql.sock files to try to connect to the MySQL server, but here you will be connected to the MySQL server under Chroot. There are two solutions: one is to add--socket=/chroot/mysql/tmp/mysql.sock after the admin command. For example: #/usr/local/mysql/bin/mysql-root-p--socket=/chroot/mysql/tmp/mysql.sock The other is to add s to the [client] part of/ETC/MY.CNFOcket=/chroot/mysql/tmp/mysql.sock. Obviously, the second method is much more convenient. 3. Modify MySQL root user ID and password #chrootuid/chroot/mysql mysql/usr/local/mysql/libexec/mysqld &#/usr/local/mysql/bin/mysql -uroot.......mysql>set PASSWORD for Root@localhost=password (New_password); try to get into the habit of typing passwords under MySQL, Because the shell may be visible to others when you enter it below. Mysql>use mysql;mysql>update User Set user= "wghgreat" where user= "root"; Mysql>select Host,user,password, Select_priv,grant_priv from User;mysql>delete to user where user=;mysql>delete from user where password=;mysql& Gt;delete from user where Host=%;mysql>drop database test, modified to a id:mysql>flush privileges;mysql>quit;4 that is not easily guessed. Delete History command records these historical files include ~/.bash_history, ~/.mysql_history, etc. If you open them, you will be surprised, how can there be some plaintext password here?! #cat dev > ~/.bash_history#cat/dev/null > ~/.mysql_historyphp and MySQL communications by default, PHP passes/tmp/ Mysql.sock to communicate with MySQL, but here's a big problem is that MySQL generated is not it, but/chroot/mysql/tmp/mysql.sock. The solution is to do a connection: #ln/chroot/mysql/tmp/mysql.sock/tmp/mysql.sock Note: Because hard links cannot be made between partitions in the file system, the connection must be in the samePartitions inside. Since the start of the configuration from the start configuration before the first hint that the database for PHP needs to use a new account, it has database permissions settings, such as file, GRANT, Acter, show DATABASE, RELOAD, SHUTDOWN, PROCESS, Super and so on. Self-Starter Script example: #!/bin/shchroot_mysql=/chroot/mysql socket=/tmp/mysql.sockmysqld=/usr/local/mysql/libexec/mysqldpidfile =/usr/local/mysql/var/' hostname '. Pidchrootuid=/usr/bin/chrootuidecho-n "MySQL" Case "Instart" RM-RF ${socket} Nohup ${chrootuid} ${chroot_mysql} MYSQL ${mysqld} >/dev/null 2>&1 &sleep 5 && Ln ${chroot_mysql}/$ {SOCKET} ${socket};; stop) Kill ' cat ${chroot_mysql}/${pidfile} ' rm-rf ${chroot_mysql}/${socket};; *) echo "" Echo "Usage: ' basename $ ' {start|stop} ' >&2exit 64;; Esacexit 0 File is located under/etc/rc.d/init.d, named Mysqld, note to be executable. #chmod +x/etc/rc.d/init.d/mysqld#ln-s/etc/rc.d/init.d/mysql/etc/rc3.d/s90mysql#ln-s/etc/rc.d/init.d/mysql/etc/ Rc0.d/k20mysql Although not 100% safe, these measures can protect our system more secure. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) The original: How to secure the configuration and application of MySQL database? Back to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.