Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to ensure the data security in the database". Many people will encounter such a dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

There are two aspects of database security: one is the physical security of the database, which refers to the normal operation of the server running the database and the lines that transmit data, not to be damaged by external forces, not unavailable due to network congestion, and to prevent losses caused by aging components. The second is the logical security of the database, the most important thing in the database is the data, to ensure that the data is not lost or leaked by hackers, not damaged by program collapse, reasonable and orderly data storage, convenient and fast access.

The security of data includes several aspects, including data independence, data security, data integrity, concurrency control, fault recovery and so on.

Data independence includes physical independence and logical independence. Physical independence means that the user's application and the data stored in the database on disk are independent of each other, and logical independence means that the logical structure of the user's application and the database are independent of each other.

Data security requires that data should be stored reasonably in a certain structure according to the requirements, using access control to increase the possibility of data theft, and using encrypted storage to increase the crime cost of data theft, so as to reduce the risk.

Data integrity includes the correctness, validity and consistency of the data. Correctness means that the input value of the data is the same as the value and type of the corresponding field of the data table; validity means that the numerical constraints in the database meet the theoretical range of the numerical segment in practical applications; consistency means that different users should have the same method and understanding of the same data.

Concurrency: when multiple users access the same resource of the database at the same time, the different reading and writing order of multiple resources will lead to different results, so concurrency control is needed. When one user is continuously manipulating the data, and another user reads the modified data halfway, the incorrect data will be read, which is called data dirty reading. At this time, we need to control this kind of concurrent operation, eliminate and avoid this kind of error, and ensure the correctness of the data.

Fault recovery: the database is damaged due to software reasons (such as computer viruses, network instability, program Bug, misoperation, etc.) or physical reasons (such as sudden power outage, natural disasters, hardware aging, etc.). There should be a recovery mechanism to minimize the loss.

01 MySQL security configuration

1. Modify the Root user password and delete the empty password

Execute the following code in the MySQL console to change the newpass to the actual password.

Mysql > SET PASSWORD FOR'root'@'lo calhost'=PASSWORD ('newpass'); Query OK,0 rows affected,1 warning (0.01sec)

two。 Delete the default database and database user

MySQL is installed by default with databases such as test for testing, which may cause unsecurity factors, so remove it as follows:

Mysql > DROP DATABASE test; Query OK,0 rows affected (0.00 sec)

The passwords of anonymous users of some MySQL databases are empty. Therefore, anyone can connect to these databases. You can check with the following command:

Mysql > select * frommysql.user where user= ""

3. Change the default MySQL administrator account

First create a user with the same privileges as the Root user. As follows:

Mysql > GRANT ALL PRIVILEGES ON *. * TO 'new_admin'@'127.0.0.1' IDENTIFIED BY' password'; Query OK,0 rows affected,1 warning (0.02 sec)

Delete the default Root user, as follows.

Mysql > drop user root@'127.0.0.1'; mysql > drop user root@'lo calhost'; mysql > drop user root@'::1'; Query OK,0 rows affected (0.04 sec)

4. Run MySQL with an independent user

Using a low-privileged independent system user to run MySQL in a security system can effectively prevent further intrusion by hackers even when there are security problems in MySQL.

5. Prohibit remote connection to the database

Configure the following parameters in the [mysqld] section of my.cnf or my.ini to turn off listening on the TCP/IP port to ensure security.

Skip-networking

You can also listen only to the native by adding the following line to the [mysqld] section of the my.cnf.

Bind-address=127.0.0.1

If you have to enable remote connection to the database, you can give limited access permission to the target host.

Mysql > GRANT SELECT,INSERT ON mydb.* TO 'username'@'host_ip'

6. Limit the number of connected users

Limiting the maximum number of connections can increase the time required for hackers to violently attack the database, increase the possibility of attacks being detected, and thus increase security.

You can find max_connections=100 in my.ini or my.cnf and change it to restart MySQL in the max_connections=1000 service. Or modify the maximum number of connections with the following command.

Mysql > set GLOBAL max_connections=100; Query OK,0 rows affected (0.00 sec)

7. User directory permission restrictions

During installation, MySQL is installed with Root user rights, and the software defaults to Root permissions.

After installation, you need to set the data directory permissions to the user permissions that actually run MySQL, as shown below.

Chown-R mysql:mysql/home/mysql/data

8. Command history protection

MySQL generates a. MySQL _ history file in the user's home directory, which records every command that the user typed. The file may disclose sensitive information such as database structure and even passwords, so it is necessary to clear or prevent the generation of the file in a timely manner.

You can block the generation of a log file by directing it to / dev/null.

$export MYSQL_HISTFILE=/dev/null

9. Prohibit MySQL from accessing local files

LOAD DATA LOCAL INFILE can read files from the file system and display them on the screen or save them in a database. Combined with injection vulnerabilities, further attacks can be achieved. You can add the following line to the [mysqld] section of the my.cnf configuration file to disable this feature.

Set-variable=lo cal-infile=0

10. MySQL server permission control

The database architecture is based on the server, and the server security is the basic guarantee of database security. The authority control of many software on the server is reasonable, which is also the necessary guarantee of database security.

11. MySQL database access control

Not only the server has different rights control, but also the MySQL database should have strict authority control mechanism. Different permissions should be set for different users. MySQL has built-in control of 26 kinds of operation permissions, such as CREATE, DROP, GRANT OPTION, REFERENCES, etc., and is oriented to objects such as tables, columns, procedures, etc., so that every query of every user has a clear definition of authority and never crosses the boundary.

For security reasons, you need to follow the following principles when setting permissions.

(1) only the minimum permissions that can meet the needs are granted to prevent users from doing bad things. For example, if a user just needs to query, just give select permission, not update, insert, or delete permission.

(2) limit the login host of a user when creating a user, which is generally limited to a specified IP or private network IP segment.

(3) Delete users without passwords when initializing the database. When the database is installed, some users are automatically created who do not have a password by default.

(4) set a password that meets the password complexity for each user.

(5) regularly clean up unwanted users, reclaim permissions or delete users.

02 MySQL database encryption

Many sensitive fields in the database are not allowed to be viewed at will, and developers, operators and even database administrators are not allowed to view them. Therefore, it is necessary to encrypt and store the database data, more importantly, to prevent hackers from getting out of the database.

The developer is responsible for the development and deployment of the program and encryption algorithm, the operation and maintenance personnel are responsible for the installation of the configuration program and the configuration of the key, but do not have direct contact with the database, and the database administrator is responsible for the maintenance and management of the database. but do not know the key and encryption algorithm, can not decrypt the data content in the database. Through such block management, the security of database data is ensured.

Run the following SQL statement:

INSERT INTO `admin` (`id`, `name`, `pass`) VALUES ('1pm,' admin','key')

The data inserted into the table is shown in figure 1.

Figure 1 inserting the data in the table

Through the query statement:

SELECT `id`, `name`, AES_DECRYPT (`pass`, 'key') FROM `admin`

You can see the contents of the table, as shown in figure 2.

Figure 2 query the contents of the table

Usually the key is obtained through the configuration file, and the database management cannot know the key, so even if you can see the dataset, you cannot get the user's password. Even if the hacker is out of the library, the user data is still in a relatively secure state without key.

03 database audit

Database audit (DBAudit) is a security measure that records database activities in real time, analyzes and reviews database operations, and is used to find possible or ongoing attacks and deal with them in a timely manner.

The audit record includes information about the audited operation, the user who performed the action, and the time and date of the operation. Audit records can be stored in database audit trails or in files on the operating system. Standard audits include actions on permissions, patterns, objects, and statements.

Through the audit analysis, we can know the operation status of the database, the execution of database commands, the slowest SQL statement, the maximum SQL statement, the maximum throughput, the maximum number of concurrency and so on, which can be used for system optimization. It can accurately locate errors and intrusions, facilitate system maintenance and reinforcement, and facilitate forensics and accountability.

04 database vulnerability scanning

Database vulnerability scanning is a professional technology for automatic security evaluation of database systems. On the premise of obtaining a knowledge base that can fully cover the hidden dangers of database security, corresponding to each security vulnerability knowledge, a predefined set of scanning strategies is used to match the target database system to find problems and defects. According to the knowledge in the existing knowledge base, the harmfulness of the vulnerability is evaluated, and a reference repair scheme is given.

This technology changes the complicated and slow manual leak detection to a more efficient machine leak detection, changes the passive waiting attack to active simulation attack to find the loophole, and presents the abstract vulnerability situation to the user in an orderly manner in the form of a report. It makes users more clearly aware of the harm of vulnerabilities and the security state of the current state of the system, and simplifies the complex leak-fixing process to patches. It is very convenient for users to build and manage a safe and efficient database system.

05 database firewall

Database Firewall system (DBFirewall) is a database security protection system based on database protocol analysis and control technology. Based on active defense mechanism, DBFirewall implements database access behavior control, dangerous operation blocking and suspicious behavior audit. It uses SQL characteristics to capture and block SQL injection behavior to prevent further harm from SQL injection vulnerabilities in Web applications. Limit the number of data queries and downloads, limit the users, places and times of sensitive data access, prevent a large number of leakage of sensitive data, track and approve illegal activities, and record illegal operations in detail for time tracking and accountability.

06 database desensitization

Database desensitization refers to the deformation of some sensitive information through desensitization rules to achieve the reliable protection of sensitive private data. In the case of customer security data or some commercially sensitive data, transform the real data and provide testing use under the condition of not violating the system rules, and can still guarantee its validity (keeping the original data type and business format requirements), integrity (ensuring that the length does not change, data connotation is not lost), and relationship (maintaining the data association relationship between tables, the data association relationship within tables). Personal information such as identity card number, mobile phone number, card number and customer number all need to be desensitized.

This is the end of the content of "how to ensure the security of data in the database". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.