Mysql security precautions

When using MySQL, security issues cannot be ignored. The following are 23 notes from MySQL:

　1. If the connection between the client and the server needs to span and pass through an untrusted network, then you need to use an SSH tunnel to encrypt the communication of the connection.

　 2. Use the set passWord statement to change the user's password. Three steps. First log in to the database system with "mysql -u root", then "mysql> update mysql.user set password=password('newpwd')", and finally execute Just “flush PRivileges”.

　 3. Attacks that need to be guarded against include anti-eavesdropping, tampering, replay, denial of service, etc., which do not involve availability and fault tolerance. All connections, queries, and other operations are completed using security measures based on ACL (access control list). There is also some support for SSL connections.

　4. Any other user except the root user is not allowed to access the user table in the mysql main database;

　Once the encrypted user password stored in the user table is leaked, others can use the user name at will/ Database corresponding to the password; 5. Use grant and revoke statements to perform user access control work; 6. Do not use plain text passwords, but use one-way hash functions such as md5() and sha1() to set them Password;

　7. Do not use words in the dictionary as passwords;

　8. Use firewalls to remove 50% of external risks, and let the database system work behind the firewall, or place it in the DMZ zone;

　9. Use nmap to scan port 3306 from the Internet, or use telnet server_host 3306 to test. Access to TCP port 3306 of the database server from an untrusted network is not allowed, so settings need to be made on the firewall or router;

　10. In order to prevent illegal parameters from being maliciously passed in, such as where ID=234, but others enter where ID=234 OR 1=1, causing all to be displayed, so use '' or "" to use strings in the web form, and use strings in the dynamic URL Adding %22 represents double quotes, %23 represents pound sign, and %27 represents single quotes; it is very dangerous to pass unchecked values ​​to the mysql database;

　11. Check the size when passing data to mysql;

12. Applications that need to connect to the database should use a general user account, and only open a few necessary permissions to the user; 13. Use specific 'escape character' functions in various programming interfaces (C C++ php Perl java JDBC, etc.) ;

　 When using mysql database on the Internet, be sure not to transmit plain text data, and use SSL and SSH encryption to transmit data;

　 14. Learn to use tcpdump and strings tools to check the security of transmitted data, such as tcpdump -l -i eth0 -w -src or dst port 3306 　 strings. Start the mysql database service as an ordinary user;

　15. Do not use the link symbol of the table, select the parameter --skip-symbolic-links; 16. Make sure that only the user who starts the database service in the mysql directory can access the database service. The file has read and write permissions;

　17. Process or super permissions are not allowed to be given to non-administrative users. The mysqladmin processlist can list the currently executed query text; super permissions can be used to cut off client connections and change the status of server operating parameters. , control the server that copies and replicates the database;

　 18. File permissions are not given to users other than administrators to prevent the problem of loading data '/etc/passwd' into the table and then using select to display it;

　 19. If not If you believe in the service of the DNS service company, you can only set the IP numeric address in the host name permission table;

　20. Use the max_user_connections variable to make the mysqld service process limit the number of connections for a specified account;

　21. The grant statement also supports resources Control options;

　22. Start the security option switch of the mysqld service process, --local-infile=0 or 1. If it is 0, the client program cannot use local load data. An example of grant grant insert(user) on mysql.user to 'user_name'@'host_name'; If you use --skip-grant-tables, the system will not perform any access control on any user's access, but you can use mysqladmin flush-privileges or mysqladmin reload to enable access control; default The situation is that the show databases statement is open to all users and can be turned off with --skip-show-databases.

　23. When encountering Error 1045 (28000) access Denied for user 'root'@'localhost' (Using password:NO), you need to reset the password. The specific method is: first use --skip-grant-tables Start mysqld with the parameters, then execute mysql -u root mysql,mysql>update user set password=password('newpassword') where user='root';mysql>Flush privileges;, and finally restart mysql.

The above is the content of Mysql security precautions. For more related articles, please pay attention to the PHP Chinese website (www.php.cn)!