DatabaseMysql Tutorial【Must Know】Five important security tips you should take to strengthen MySQL【Must Know】Five important security tips you should take to strengthen MySQL
The database has long been an important part of your balanced architecture, and is arguably the most important part. Today, the pressure has been toward your largely disposable and stateless infrastructure, which puts a greater burden on your database to be both reliable and secure since all the other servers will inevitably be on the server along with the rest of your data. State information is stored in the database.
Your database is every attacker’s prize. As attacks become more sophisticated and networks become more hostile, taking extra steps to harden your database is more important than ever.
MySQL is the most popular and favorite database among developers and administrators due to its speed and overall ease of use. Unfortunately, this ease of use comes at the expense of security. Even though MySQL can be configured with strict security controls, your normal default MySQL configuration may not use them. In this article, I'll cover five important steps you should take to harden your MySQL database.
Step 1: Set a strong password
For all database users, it is important to use strong passwords. Given that most people don't manually log into a database often, use a password manager or the command-line tool pwgen to create a random 20-character password for your database account. This is still important even if you use additional MySQL access controls to limit where specific accounts can log in (such as strictly limiting accounts to localhost).
The most important MySQL account to set a password for is the root user. By default, on many systems, this user has no password. In particular, Red Hat-based systems do not set a password when installing MySQL; while Debian-based systems prompt you for a password during an interactive installation, a non-interactive installation (as you might do using Configuration Manager ) will skip it. Additionally, you can still skip setting a password during an interactive installation.
You might think that letting the root user not enter a password is not a big security risk. After all, the user is set to "root@localhost", which you might think means you have to root the computer before you can become that user. Unfortunately, this means that any user who can trigger the MySQL client from localhost can log in as the MySQL root user using the following command:
*$ mysql — user root*
So if you don't set a password for the root user, anyone who can get a local shell on your MySQL machine will now have full control of your database.
To fix this vulnerability, use the mysqladmin command to set a password for the root user:
$ sudo mysqladmin password
Unfortunately, MySQL runs as root Run background tasks as user. Once you set a password, these tasks break unless you take the extra step of hardcoding the password into the /root/.my.cnf file:
[mysqladmin] user = rootpassword = yourpassword
However, this means you must set the password in plain text The form is stored on the host machine. But you can at least use Unix file permissions to restrict access to the file to only the root user:
sudo chown root:root /root/.my.cnf sudo chmod 0600 /root/.my.cnf
Step Two: Delete Anonymous Users
Anonymous accounts are both A MySQL account with no username and no password. You don't want an attacker to have any kind of access to your database without a password, so look in the output of this command for any MySQL users logged with a blank username:
> SELECT Host, User FROM mysql.user; + — — — — — — — — — — — — + — — — -+ | Host | User | + — — — — — — — — — — — — + — — — -+ | 127.0.0.1 | root | | ::1 | root | | localhost | | | localhost | root | + — — — — — — — — — — — — + — — — -+ 4 rows in set (0.00 sec)
at these roots There is an anonymous user ( localhost ) among the users, which is empty in the User column. You can clear specific anonymous users using the following command:
> drop user ""@"localhost"; > flush privileges;
If you find any other anonymous users, make sure to delete them.
Step 3: Follow the principle of least privilege
The principle of least privilege is a security principle that can be summarized as follows:
Just for An account provides the access necessary to perform the job and no more.
This principle can be applied to MySQL in a variety of ways. First, when using the GRANT command to add database permissions to a specific user, be sure to restrict only the permissions that the user needs to access the database:
> grant all privileges on mydb.* to someuser@"localhost" identified by 'astrongpassword'; > flush privileges;
If the user only needs to access a specific table (for example, the users table), use Replace mydb.users or any name of your table with mydb.* (grant permission to all tables).
Many people grant users full access to the database; but if your database user only needs to read the data and not change the data, you will need to take the extra step of granting read-only access to the database:
> grant select privileges on mydb.* to someuser@"localhost" identified by 'astrongpassword'; > flush privileges;
Finally, many database users will not access the database from localhost, usually the administrator will create them, like this:
> grant all privileges on mydb.* to someuser@"%" identified by 'astrongpassword'; > flush privileges;
This will allow "someuser" to access the database from any network. However, if you have a well-defined set of internal IPs, or - even better - have VLANS set up so that all your application servers are on different subnets from other hosts, then you can take advantage of this to limit "someuser" , so that the account can only access the database from a specific network:
> grant all privileges on mydb.* to someuser@10.0.1.0/255.255.255.0 identified by 'astrongpassword'; > flush privileges;
第四步:启用 TLS
设置强密码仅只有攻击者可以在网络上读取你的密码或者其他敏感数据的情况下才能达到此目的。因此,使用 TLS 保护你的所有网络流量比以往任何时候都更加重要。
MySQL 也不例外。
幸运的是,在 MySQL 中启用 TLS 比较简单。一旦你有了你的主机的有效证书,只需要在你的主 my.cnf 文件的 [mysqld]部分添加以下几行 :
[mysqld] ssl-ca=/path/to/ca.crt ssl-cert=/path/to/server.crt ssl-key=/path/to/server.key
为了额外的安全性,还可以添加 ssl-cipher 配置选项,其中包含一个被认可的密码列表,而不是只接受默认的密码列表,这可能包括较弱的 TLS 密码。我推荐使用 Mozilla Security/Server Side TLS page 所推荐的现代或者中级密码套件。
一旦服务器端设置了 TLS ,你可以限制客户端必须采用 TLS 进行连接,通过在 GRANT 语句中添加 REQUIRE SSL :
> grant all privileges on mydb.* to someuser@10.0.1.0/255.255.255.0 identified by 'astrongpassword' REQUIRE SSL; > flush privileges;
第五步:加密数据库密钥
虽然现在很多人都知道使用单向散列(理想情况下是像 bcrypt 这样慢速散列 ),保护用户数据库存储的密码有多重要,但通常没过多考虑使用加密来保护数据库上其他的敏感数据。事实上,许多管理员会告诉你他们的数据库是加密的,因为磁盘本身是加密的。这实际上会影响你的数据库加固,不是因为磁盘加固有缺陷或糟糕的做法,而是因为它会给你一种错误的信任感。
磁盘加密保护你的数据库数据,以防止有人从你的服务器窃取磁盘(或者你买了二手磁盘后忘记擦除磁盘),但是磁盘加密并不能在数据库本身运行时保护你,因为驱动器需要处于解密状态才能被读取。
要保护数据库中的数据,你需要采取额外的措施,在存储敏感字段之前对它们进行加密。这样如果攻击者找到了某种方法来转存完整的数据库,你的敏感字段仍然会受到保护。
有许多加密数据库中字段的方法,而且 MySQL 支持本地加密命令。无论你采取哪种加密方法,我都建议避免你需要将解密密钥存储在数据库本身的加密方法。
理想情况下,你会把解密的密钥存储在应用服务器上,作为本地GPG密钥(如果你使用GPG进行加密)或者将其存储为应用程序服务器上的环境变量。这样即使攻击者可能找到一种方法来破坏应用程序服务器的服务器,他也必须将攻击转换为本地shell访问,以此来获取你的解密密钥。
MySQL 加固原则:掌握最小权限原则
有很多方法来锁定你的MySQL服务器。确切地说,你如何实施这些步骤取决于你如何设置自己的数据库,以及它在网络中的位置。
虽然前面的五个步骤将有助于保护你的数据库,但我认为更需要掌握的最重要的整体步骤是最小权限原则。你的数据库可能存储来一些非常有用的数据,如果你确保用户和应用程序只具有执行其工作的所需的最小访问权限,那么你将限制攻击者能够做什么,如果黑客找到来危害该用户或者应用程序的方法。
【相关推荐:mysql视频教程】
The above is the detailed content of 【Must Know】Five important security tips you should take to strengthen MySQL. For more information, please follow other related articles on the PHP Chinese website!
Explain the InnoDB Buffer Pool and its importance for performance.Apr 19, 2025 am 12:24 AMInnoDBBufferPool reduces disk I/O by caching data and indexing pages, improving database performance. Its working principle includes: 1. Data reading: Read data from BufferPool; 2. Data writing: After modifying the data, write to BufferPool and refresh it to disk regularly; 3. Cache management: Use the LRU algorithm to manage cache pages; 4. Reading mechanism: Load adjacent data pages in advance. By sizing the BufferPool and using multiple instances, database performance can be optimized.
MySQL vs. Other Programming Languages: A ComparisonApr 19, 2025 am 12:22 AMCompared with other programming languages, MySQL is mainly used to store and manage data, while other languages such as Python, Java, and C are used for logical processing and application development. MySQL is known for its high performance, scalability and cross-platform support, suitable for data management needs, while other languages have advantages in their respective fields such as data analytics, enterprise applications, and system programming.
Learning MySQL: A Step-by-Step Guide for New UsersApr 19, 2025 am 12:19 AMMySQL is worth learning because it is a powerful open source database management system suitable for data storage, management and analysis. 1) MySQL is a relational database that uses SQL to operate data and is suitable for structured data management. 2) The SQL language is the key to interacting with MySQL and supports CRUD operations. 3) The working principle of MySQL includes client/server architecture, storage engine and query optimizer. 4) Basic usage includes creating databases and tables, and advanced usage involves joining tables using JOIN. 5) Common errors include syntax errors and permission issues, and debugging skills include checking syntax and using EXPLAIN commands. 6) Performance optimization involves the use of indexes, optimization of SQL statements and regular maintenance of databases.
MySQL: Essential Skills for Beginners to MasterApr 18, 2025 am 12:24 AMMySQL is suitable for beginners to learn database skills. 1. Install MySQL server and client tools. 2. Understand basic SQL queries, such as SELECT. 3. Master data operations: create tables, insert, update, and delete data. 4. Learn advanced skills: subquery and window functions. 5. Debugging and optimization: Check syntax, use indexes, avoid SELECT*, and use LIMIT.
MySQL: Structured Data and Relational DatabasesApr 18, 2025 am 12:22 AMMySQL efficiently manages structured data through table structure and SQL query, and implements inter-table relationships through foreign keys. 1. Define the data format and type when creating a table. 2. Use foreign keys to establish relationships between tables. 3. Improve performance through indexing and query optimization. 4. Regularly backup and monitor databases to ensure data security and performance optimization.
MySQL: Key Features and Capabilities ExplainedApr 18, 2025 am 12:17 AMMySQL is an open source relational database management system that is widely used in Web development. Its key features include: 1. Supports multiple storage engines, such as InnoDB and MyISAM, suitable for different scenarios; 2. Provides master-slave replication functions to facilitate load balancing and data backup; 3. Improve query efficiency through query optimization and index use.
The Purpose of SQL: Interacting with MySQL DatabasesApr 18, 2025 am 12:12 AMSQL is used to interact with MySQL database to realize data addition, deletion, modification, inspection and database design. 1) SQL performs data operations through SELECT, INSERT, UPDATE, DELETE statements; 2) Use CREATE, ALTER, DROP statements for database design and management; 3) Complex queries and data analysis are implemented through SQL to improve business decision-making efficiency.
MySQL for Beginners: Getting Started with Database ManagementApr 18, 2025 am 12:10 AMThe basic operations of MySQL include creating databases, tables, and using SQL to perform CRUD operations on data. 1. Create a database: CREATEDATABASEmy_first_db; 2. Create a table: CREATETABLEbooks(idINTAUTO_INCREMENTPRIMARYKEY, titleVARCHAR(100)NOTNULL, authorVARCHAR(100)NOTNULL, published_yearINT); 3. Insert data: INSERTINTObooks(title, author, published_year)VA
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
WebStorm Mac version
Useful JavaScript development tools
Atom editor mac version download
The most popular open source editor
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
