Improving the security of MySQL database (3)

Talk about how to improve the security of MySQL database from the perspective of user permissions

As the saying goes, knowledge is power. Please make sure you understand MySQL's permission system and the consequences of granting specific permissions. Please do not grant unnecessary permissions to any user. The garnt table should be viewed to confirm this.

Specially, if it is not absolutely necessary, please do not grant permissions such as PROCESS, FILE, SHUTDOWN and RELOAD to any non-administrator user. The PROCESS permission allows you to observe what other users are doing and typing, including the passwords they entered. The FILE permission can be used to read and write files in the operating system, for example, including /etc/password in UNIX systems.

GRANT permissions should also be granted very carefully because they allow users to share their permissions with other users.

Please make sure that when creating users, you only grant them permission to access the database from the currently connected host. There is a user named jane@localhost, which is no problem, but it is very common for a simple jane to log in from anywhere - this jane may not be the jane you think of. For the same reason, we should avoid using wildcards in hostnames.

Security performance can be improved by using IP addresses instead of domain names in the host table. This can avoid error issues or hackers in the DNS location. It can be enhanced by starting the MySQL daemon with the --skip-name-resolve option, which means that the values ​​of all host columns must be IP addresses or localhost.

In addition, non-administrator users should also be prevented from accessing the mysqladmin program in the web server. Since this is run from the command line, it is an issue with operating system permissions.

Restrict remote access to MySQL server

For most users, there is no need to go through Insecure An open network to access the MySQL server. You can limit hosts by configuring firewalls or hardware, or by forcing MySQL to only listen to localhost. Additionally, an SSH tunnel is required for remote access.

If you want to restrict users from establishing connections only from the local host, you need to add bind-address=127.0.0.1 in the configuration file.

[Related recommendations]

Improve the security of MySQL database (1)

Improve the security of MySQL database (2)

Improve the security of MySQL database Security (4)

The above is the detailed content of Improving the security of MySQL database (3). For more information, please follow other related articles on the PHP Chinese website!