1. Account
Account security to run mysqld general, prohibit mysql run as root user access, an attacker may obtain superuser privileges through the system root mysql, complete control of the system.
Configuration /etc/my.cnf
[mysql.server]
user=mysql
Supplementary Operating Instructions
Changes in the production environment database directly through the computer outside of the local network is extremely dangerous. Sometimes, the administrator will host open access to the database:
> GRANT ALL ON *.* TO 'root'@'%';
这其实是完全放开了对root的访问。所以,把重要的操作限制给特定主机非常重要:
> GRANT ALL ON *.* TO 'root'@'localhost';
> GRANT ALL ON *.* TO 'root'@'myip.athome' ;
> FLUSH PRIVILEGES;
Judgment conditions
Prohibit mysqld run as root account;
Detection operation
Check the owner and operating parameters of the process contains --user = mysql similar statement:
# ps –ef | grep mysqld
#grep -i user /etc/my.cnf
User rights
Shall assign user accounts to avoid sharing among different user accounts
Create a user to set ip address specified landing database
create user vvera@'指定ip地址' identified by 'vv@122';This creates a file called: vvera password: vv @ 122 users.
Then log it.
Detection method
Judgment conditions
Without the name of the user can connect to the database; connect to the database using a different user
Independent should be deleted or locked database operation, maintenance and other work with the account
Remove the anonymous accounts and abandoned accounts
DROP USER statement removes one or more MySQL accounts. To use DROP USER, mysql database must have the global CREATE USER privilege or DELETE privileges. User and host user record table portion of the user account name and a value corresponding Host column.
Use DROP USER, you can cancel an account and its privileges, as follows:
DROP USER user;This statement may delete accounts records from all grant tables. Accounts useless red logo can be deleted.
Result after using the operating command
drop user ''@'mysql',''@'localhost','root'@'::1','root'@'mysql';
Supplementary Operating Instructions
Important:
DROP the USER does not automatically close any open user sessions. Moreover, if the user has opened the dialogue, this time to cancel the user, the command will not take effect until the user session is closed after entry into force. Once the session is closed, the user is canceled, this will fail when the user tries to log in again.
Side of the operation subject:
MySQL user to view all statements
input commands
select user();
select user ,host ,password from mysql.user;
Account in order to check whether the listed accounts as necessary, no user or delete expired accounts.
2. password
The default password checking account and weak password
修改帐户弱密码
如要修改密码,执行如下命令:
检查本地密码:(注意,管理帐号root默认是空密码)
mysql> update user set password=password('vv@122') where user='root';
mysql> flush privileges;
检测方法
mysql> use mysql;
mysql> select Host,User,Password,Select_priv,Grant_priv from user;
3.权限设置
在数据库权限配置能力内,根据用户的业务需要,配置其所需的最小权限。
合理设置用户权限
补充操作说明
有些应用程序是通过一个特定数据库表的用户名和口令连接到MySQL的,安全人员不应当给予这个用户完全的访问权。
如果攻击者获得了这个拥有完全访问权的用户,他也就拥有了所有的数据库。查看一个用户许可的方法是在MySQL控制台中使用命令SHOW GRANT
>SHOW GRANTS FOR ; 'vvera'@'localhost'
为定义用户的访问权,使用GRANT命令。在下面的例子中,vvera仅能从tanggula数据库的mserver表中选择:
> GRANT SELECT ON tanggula. mserver TO 'vvera'@'localhost';
> FLUSH PRIVILEGES;
vvera用户就无法改变数据库中这个表和其它表的任何数据。
如果你要从一个用户移除访问权,就应使用一个与GRANT命令类似的REVOKE命令:
> REVOKE SELECT ON tanggula. mserver FROM 'vvera'@'localhost';
> FLUSH PRIVILEGES;| 权限 | 权限范围 | 给谁授权 | 权限范围 |
|---|---|---|---|
| grant all | ON . | to vvera | 授权vvera全库权限 |
| grant select | ON tanggula.* | to vvera | 授权vvera唐古拉数据库查看权限 |
| grant create | ON tanggula.* | to vvera | 授权vvera唐古拉数据库添加权限 |
授权并创建用户,并指定密码
grant 权限 on 权限范围 to 用户 identified by '密码'回收权限
revoke 权限 on 范围 from 用户
4.日志审计
数据库应配置日志功能,
show variables like 'log_%';查看所有的log命令 
show variables like 'log_bin';查看具体的log命令
5.禁用或限制远程访问
禁止网络连接,防止猜解密码攻击,溢出攻击和嗅探攻击。(仅限于应用和数据库在同一台主机)
参考配置操作
如果数据库不需远程访问,可以禁止远程tcp/ip连接, 通过在mysqld服务器中参数中添加 --skip-networking 启动参数来使mysql不监听任何TCP/IP连接,增加安全性。强迫MySQL仅监听本机,方法是在my.cnf的[mysqld]部分增加下面一行:bind-address=127.0.0.1
6.移除测试(test)数据库和禁用LOCAL INFILE
删除可以匿名访问的test数据库和防止非授权用户访问本地文件
移除测试(test)数据库
在默认安装的MySQL中,匿名用户可以访问test数据库。我们可以移除任何无用的数据库,以避免在不可预料的情况下访问了数据库。因而,在MySQL控制台中,执行:
> DROP DATABASE test;
禁用LOCAL INFILE
另一项改变是禁用”LOAD DATA LOCAL INFILE”命令,这有助于防止非授权用户访问本地文件。在PHP应用程序中发现有新的SQL注入漏洞时,这样做尤其重要。此外,在某些情况下,LOCAL INFILE命令可被用于访问操作系统上的其它文件(如/etc/passwd),应使用下现的命令:
mysql> SELECT load_file("/etc/passwd")
为禁用LOCAL INFILE命令,应当在MySQL配置文件的[mysqld]部分增加下面的参数:
set-variable=local-infile=0
检查操作
Mysql>show databases;