Shulou(Shulou.com)06/01 Report--

1. Prohibit MySql from running with administrator account privileges

MySql should be run under a non-administrator account, and mysqld should be safely run under a normal account.

Hardening method: configure user=mysql in my.cnf configuration file

two。 Set the root password and modify the login name, and there is no empty password account

To change the root user password, execute in the MySql console:

> set password for 'root'@'localhost'=password (' new_password'); # in practice, simply change the above new_password to the actual password

In order to improve the security of root users more effectively, it is necessary to rename them. The mysql database in the table user needs to be updated. Execute in the console:

> use mysql; > update user set user= "another_username" where user= "root"; > flush privileges

Then, you can access the mysql console through $mysql-u another_username-p.

All users in the database should be configured with passwords. You can query whether a password account is available by using the following statement:

> select * from mysql.user where user= ""

3. Configure appropriate password strength, with a maximum useful life of less than 90 days

Database user Miami complexity includes length, case, and special characters.

Reinforcement method: add the following configuration line to the global configuration

Plugin-load = validate_password.so # load password strength verification plug-in validate_password_length = 14 # password length is at least 14 The default is 8 validate_password_mixed_case_count = 1 # at least lowercase and uppercase letters validate_password_number_count = 1 # at least the number of digits validate_password_special_char_count = 1 # at least the number of special characters validate_password_policy = MEDIUM # password strength level, there are three types: 0/LOW, 1/MEDIUM, 2/STRONG, default is MEDIUM

For the three levels of password strength, the requirements are as follows:

Policy Tests Performed0 or LOW Length1 or MEDIUM Length; numeric, lowercase/uppercase, and special characters2 or STRONG Length; numeric, lowercase/uppercase, and special characters; dictionary file

If the expiration time of the user password is less than 90 days, execute it on the console:

> set global default_password_lifetime=90

4. Reduce the user's database privileges, and only the administrator has complete database access.

The mysql.user and mysql.db tables in the MySql database list the various permissions that can be granted (or denied) to mysql users. In general, these privileges should not be available to every mysql user and are usually reserved only to administrator users.

Hardening method: audit the users granted by each privilege, and for non-administrative users, use the permission statement to remove permissions appropriately.

# privileges in the mysql.user table are: file_priv: whether users are allowed to read local files of the host where the database resides; Process: whether users are allowed to query command execution information of all users; Super_priv: whether users have high-level permissions such as setting global variables and administrator debugging; Shutdown_priv: whether users can shut down the database Create_user_priv: indicates whether a user can create or delete other users; Grant_priv: indicates whether a user can modify other user permissions

Query the executing sql statement:

> show processlist;# or > use information_schema; > select * from PROCESSLIST where info is not null

Use the following command to view the database account with the corresponding permissions:

Select host,user from mysql.user where File_priv='Y'

If a non-administrator user exists, use the following command to reclaim permissions:

Revoke file on *. * from 'mysql'

5. Disable or restrict remote access to ensure that only specific hosts have access

> grant all on *. * to 'root'@'%'

The above authorization allows root to use all execute permissions on the database on all hosts, and to restrict the use of specific hosts:

> grant all on *. * to 'root'@'localhost'; > grant all on *. * to' root'@'hostname_ip'; # can be ip or hostname

If you want to revoke access on a host, you can use:

> revoke all on *. * from 'root'@'hostname_ip'

If only partial permissions are granted, you can use:

> grant select on mydb.* to 'someuser'@'hostname_ip'

6. Configure MySql logs for auditing

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.