Shulou(Shulou.com)06/01 Report--

(1). Give MySQL accounts the minimum permissions they need to avoid granting MySQL accounts alter,grant permissions

(2). Delete anonymous accounts

Anonymous accounts are easy to cause security risks. It is recommended to delete them. Execute the following SQL statement to delete all anonymous accounts in the permission table:

mysql>delete from mysql.user where user='';

mysql>delete from mysql.db where user='';

mysql>delete from mysql.tables_priv where user='';

mysql>delete from mysql.columns_priv where user='';

mysql>delete from mysql.procs_priv where user='';

(3). Delete login host MySQL account that can be any host

MySQL account with login host "%" or empty string is easy to bring security risks. It is recommended to delete it. Execute the following SQL statement to delete MySQL account with login host "%" or empty string in permission table.

mysql>delete from mysql.user where host='%' or host='';

mysql>delete from mysql.db where host='%' or host='';

mysql>delete from mysql.tables_priv where host='%' or host='';

mysql>delete from mysql.columns_priv where host='%' or host='';

mysql>delete from mysql.procs_priv where host='%' or host='';

(4). Change the password of root account

The root account has the highest permissions for MySQL service instances. It is necessary for the root account of the database super administrator to customize and modify the password of the root account. Execute the following SQL to modify it:

mysql>set password for root@'localhost'=password('newroot');

mysql>set password for root@'127.0.0.1'=password('newroot');

(5). Change the account name of the root account

When MySQL is installed, MySQL will automatically create the root account of the database super administrator, and this account has the highest permissions on the database. It is necessary for the database super administrator to rename himself and execute the following SQL to modify it:

mysql>rename user root@'localhost' to newroot@'localhost';

mysql>rename user root@'127.0.0.1' to newroot@'127.0.0.1';

(6). Change the port number of MySQL service

By default, MySQL uses port number 3306 to provide MySQL services for MySQL clients. Modify the port number to other port numbers to prevent illegal users from connecting to MySQL servers remotely. Linux systems can be accessed through

Modify the parameter values of the option group "port=3306" in the my.cnf configuration file [mysqld] to complete

(7). Remote connections disabled

Add the parameter "bind_address= 127.0.0.1" to the my.cnf or my.ini (windows platform) configuration file [mysqld] option group, telling the MySQL server to listen only for connection requests from "127.0.0.1" or "localhost" local hosts and to prohibit remote connections.

(8). Provide secure account names, passwords, and connection hosts for remotely connected database users.

(9). Disable MySQL from reading MySQL client local files

Use the "load data local infile" command to import MySQL client local files into MySQL database tables.

Illegal information is imported into the database permission table of MySQL system through this command, and the consequences are unimaginable. The database can be in my.cnf or my.ini

The parameter "local_infile=0" is added to the [mysqld] option group to prevent MySQL from reading MySQL client local files.

(10). Avoid granting file permissions to MySQL accounts unless necessary to prevent database users from creating files on MySQL servers

Note: If a MySQL account needs to execute "select.. into.. outfile"command completes the backup of the database, then the account needs to be granted file permission

Other considerations for MySQL security management:

(1). When deleting objects, MySQL doesn't clean up old permissions, they stay there. If the object is created with the same name at some point in the future, these permissions are still valid.

(2). Avoid using insert,update,delete and other update statements to directly operate the permission table

(3). Since MySQL does not provide user groups or roles, when naming MySQL account names, suffixes or prefixes can be added to the account name (for example, the suffix "_replication" can be added to the copy account). Using this method, user permissions can be modified in batches through wildcards to simulate the implementation of user groups or roles.

(4). Because the "manage" permissions of MySQL service instances, such as shutdown,process,show databases,super,create user,create tablespace, etc., are too powerful, it is recommended to restrict MySQL accounts with these permissions to a single host.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.