从互联网上的大师文章中摘抄的!
1:Initial Setup, run the script called "mysql_secure_installation". This will guide us through some procedures that will remove some defaults that are dangerous to use in a production environment.禁止root远程登录,删除test数据库,清理匿名用户
2:Disable the use of LOCAL INFILE
The next change is to disable the use of the "LOAD DATA LOCAL INFILE" command, which will help to prevent unauthorized reading from local files. This is especially important when new SQL Injection vulnerabilities in PHP applications are found.
In addition, in certain cases, the "LOCAL INFILE" command can be used to gain access to other files on the operating system, for instance "/etc/passwd", using the following command:
mysql> LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE table1
Or even simpler:
mysql> SELECT load_file("/etc/passwd")
To disable the usage of the "LOCAL INFILE" command, the following parameter should be added in the [mysqld] section of the MySQL configuration file.
local-infile=0
##这种方式是提高了安全性,但LOAD DATA 最快的数据导入方式就不可以使用了,带来少许不便,要用户自己衡量利弊!
3. Change root username and password
The default administrator username on the MySQL server is "root". Hackers often attempt to gain access to its permissions. To make this task harder, rename "root" to something else and provide it with a long, complex alphanumeric password.
To rename the administrator’s username, use the rename command in the MySQL console:
mysql> RENAME USER root TO new_user;
The MySQL "RENAME USER" command first appeared in MySQL version 5.0.2. If you use an older version of MySQL, you can use other commands to rename a user:
mysql> use mysql;
mysql> update user set user="new_user" where user="root";
mysql> flush privileges;
##root用户的密码一定要复杂,最好16位甚至20位以上
To change a user’s password, use the following command-line command:
mysql> SET PASSWORD FOR 'username'@'%hostname' = PASSWORD('newpass');
It is also possible to change the password using the "mysqladmin" utility:
shell> mysqladmin -u username -p password newpass
5:Lower system privileges ##数据库文件目录权限
To protect your database, make sure that the file directory in which the MySQL database is actually stored is owned by the user "mysql" and the group "mysql".
6:enable selinux ##开启selinux给mysql带来了安全保护,同时也会使系统损失5%---10%左右的性能
7:Enable Logging,开启二进制日志
8:Securing MySQL From Within, ##不使用mysql -uroot -p'password'的方式,密码不要出现在命令中
9:Remove History ##注意mysql历史命令
cat /dev/null > ~/.mysql_history
10:hide mysql from the internet ##尽量不使用public ip
11:Only enable SUPER privileges to dba accounts, and only ever for ‘localhost’,Never use ‘%’ for a hostname, Never use ALL TO *.* ##grants授权时尽量缩小权限
12:Do not connect to the db as root each application should have its own user account with only the per-database privileges necessary to run
13:always validate and sanitize user input ##防止sql注入
14:Do not give away information,A login page should not return both "user not found" and "password invalid"
15:Be aware of dynamic sql
16: Patch your mysql and os systems,The Importance of CVE's(Common Vulnerabilities and Exposures)
阅读(1001) | 评论(0) | 转发(0) |
