Shulou(Shulou.com)06/01 Report--

This article will explain in detail what commands are used for MySQL/MariaDB security practice in Linux. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

MySQL is the most popular open source database system in the world, and MariaDB (a branch of MySQL) is the fastest growing open source database system in the world. After installing the MySQL server, it is not secure under the default configuration, and ensuring database security is usually one of the basic tasks of general database management.

This will help enhance and improve the security of the entire Linux server, as attackers always scan for vulnerabilities in any part of the system, and the database has been a key target area in the past. A common example is the forced cracking of root passwords in MySQL databases.

In this guide, we will explain MySQL/MariaDB 's Linux security best practices that are helpful to developers.

1. Install MySQL securely

This is the first recommended step after installing the MySQL server to protect the database server. This script can help you improve the security of your MySQL server:

If you do not set the password for your root account during installation, set it immediately

Disable remote root user login by deleting root accounts that can be accessed from outside the local host

Delete anonymous user accounts and test databases, which are accessible to all users, even anonymous users, by default

# mysql_secure_installation

After running the above command, set the root password and answer a series of questions by entering [Yes/Y] and pressing the [Enter] key.

Safe installation of MySQL situation interface

two。 Bind the database server to the Loopback address

This configuration restricts access from remote machines, telling the MySQL server to accept only connections from the local host. You can set it in the main configuration file.

# vi / etc/my.cnf [RHEL/CentOS] # vi / etc/mysql/my.conf [Debian/Ubuntu] OR# vi / etc/mysql/mysql.conf.d/mysqld.cnf [Debian/Ubuntu]

Add the following line to the [mysqld] section

Bind-address = 127.0.0.1

3. Disable LOCAL INFILE for MySQL

As part of the security enhancement, you need to disable local_infile and use the following directive to prevent access to the underlying file system from MySQL in the [mysqld] section.

Local-infile=0

4. Modify the default port of MySQL

Sets the MySQL port number that the port variable uses to listen for TCP/IP connections. The default port number is 3306, but you can modify it in [mysqld].

Port=5000

5. Enable MySQL Log

Logging is one of the best ways to understand what happened during the operation of the service, and you can easily see any intrusion-related behavior in the log in the event of any attack. You can turn on mysql logging by adding the following variables to the [mysqld] section of the configuration file.

Log=/var/log/mysql.log

6. Set access permissions for appropriate MySQL files

Make sure that you have set the appropriate access permissions for all mysql service files and data paths. The file / etc/my.conf can only be modified by root users, which prevents other users from modifying the configuration of the database service.

# chmod 644 / etc/my.cnf

7. Delete MySQL shell History

All commands you execute in MySQL shell will be saved to a history file by the mysql client: ~ / .mysql_history. This is dangerous because for any user account you have created, all user names and passwords entered on shell will be recorded in the history file.

# cat / dev/null > ~ / .mysql_history

8. Do not run MySQL commands on the command line

As you know, all commands you enter on the terminal are stored in a history file, depending on the shell you are using (for example, bash's shell history file is placed in ~ /. Bash_history). Attackers can easily see any passwords recorded there by accessing this history file.

It is not recommended to enter a password on the command line, as follows:

# mysql-u root-ppassword_

Connect to MySQL using a password

When you look at the last part of the command line history file, you can see the password you entered earlier.

# history

View command line input history

The recommended way to connect to MySQL is

# mysql-u root-pEnter password:

9. Define database users for a specific application

For each application running on the server, only one database user associated with the application is set. For example, if you have a wordpress website, create a wordpress database user as follows:

# mysql-u root-pMariaDB [(none)] > CREATE DATABASE osclass_db;MariaDB [(none)] > CREATE USER 'osclassdmin'@'localhost' IDENTIFIED BY' classroomdmin% GRANT ALL PRIVILEGES ON osclass_db.* TO 'osclassdmin'@'localhost';MariaDB [(none)] > FLUSH PRIVILEGES;MariaDB [(none)] > exit

And remember to delete database users who are no longer in use.

10. Use additional security plug-ins and libraries

MySQL includes a number of security plug-ins: validating client requests to connect to the MySQL server, password verification, and secure storage of sensitive information, all of which are provided in the free version.

You can see more here: https://dev.mysql.com/doc/refman/5.7/en/security-plugins.html

11. Change the MySQL password periodically

Changing passwords regularly is a common information / application / system security recommendation. How often you change your password is determined by your internal security policy. Changing your password regularly can prevent long-term stalking of your "snooper", get your password, and log in to your MySQL server.

MariaDB [(none)] > USE mysql;MariaDB [(none)] > UPDATE user SET password=PASSWORD ('YourPasswordHere') WHERE User='root' AND Host =' localhost';MariaDB [(none)] > FLUSH PRIVILEGES

twelve。 Update the MySQL Server package regularly

It is strongly recommended that the mysql/mariadb package be updated regularly from the official warehouse to get the latest security updates and bug improvements. In general, the default package in the operating system is out of date.

# yum update# apt update

Restart the service after any changes have been made to mysql/mariadb server.

# systemctl restart mariadb # RHEL/CentOS# systemctl restart mysql # Debian/Ubuntu, this is the end of the article on "which commands are used for MySQL/MariaDB security practices in Linux". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.