Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to solve the MySQL data service baseline security problem". In the daily operation, I believe many people have doubts about how to solve the MySQL data service baseline security problem. The editor consulted all kinds of information and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubt of "how to solve the MySQL data service baseline security problem". Next, please follow the editor to study!

Analysis of problems

Looking at MongoDB and Elasticsearch and the current MySQL database blackmail, we can find that baseline security problems lead to data hijacking and extortion by hackers, because these services are open on the public network, and there are empty passwords or weak passwords that make it easy for attackers to crack successfully, connect to the database directly to download and empty the data, especially incorrect security group configuration.

In fact, this is not the first time that similar problems have occurred. Recently, Yunding lab has observed a number of cases in which attacks have expanded, not only extortion, but also server intrusion, resulting in data being downloaded. Baseline security issues have become the main way to invade servers outside of Web vulnerabilities, especially in cases such as weak passwords. Misconfiguration can cause related services to be exposed on the public network and become the target of hackers. Coupled with the use of weak passwords such as empty passwords, hackers can easily invade these services.

Safety self-examination

When this event breaks out, it is recommended to conduct a self-check on your server to avoid related data loss and other problems. For more information, please see the following:

1. Check the open ports and corresponding services of the server, and close the public network access if not necessary. You can use NMap to directly execute the nmap server IP (executed on the server's public network), and the following results can be obtained: open ports and services in the public network.

2. Focus on checking the configuration of these open services on the public network to check whether the relevant services set passwords and weak passwords.

3. If it is not necessary, do not use root or other system high-privilege accounts to start related services.

Safety advice and repair scheme

First, use the correct security group or iptables to achieve access control.

2. Shut down related services and modify weak passwords through public network access:

1 、 MongoDB

a. Configure authentication

Take version 3.2 as an example, MongoDB sets permission authentication. The specific steps are as follows:

Start the MongoDB process by adding the-auth parameter or auth = true in the configuration file of MongoDB

MongoDB with auth startup. If no user is created, MongoDB will allow local access and create an administrator user. The creation steps are as follows:

1. Switch to admin library; 2. Create an administrator user with the following command (user and pwd can be set as needed): db.createUser ({user: "root", pwd: "password", roles: ["root" >)

b. Turn off public network access

You can configure it through the bind_ip parameter of MongoDB. You only need to bind IP to private network IP, as shown below:

1. Add the bind_ip parameter at startup: mongod-- bind_ip 127.0.0.1 bind_ip 10.x.x2. Add the following to the configuration file mongodb.conf: bind_ip = 127.0.0.1 Magi 10.x.x.x where 10.x.x.x is your machine's intranet IP.

2 、 Redis

a. Configure authentication

Modify the configuration file to add the "requirepass password" entry configuration (the configuration file is usually in / etc/redis.conf)

On the basis of connecting to Redis, through the command line configuration, config set requirepass yourPassword

b. Turn off public network access

Configure the bind option, limit the IP that can connect to the Redis server, and modify the default port 6379 of the Redis

c. Other

Configure the rename-command configuration item "RENAME_CONFIG", renaming Redis-related commands, so that even if there is unauthorized access, it can make it more difficult for attackers to use config instructions (but it will also bring inconvenience to developers)

Restart the Redis-server service after the relevant configuration

3 、 MySQL

a. Configure authentication

MySQL installation requires setting a password by default. If it is a weak command, you can change the password in the following ways:

UPDATE USER statement

/ / after logging in to MySQL as root, USE mysql; UPDATE user SET password=PASSWORD ('new password') WHERE user='root'; FLUSH PRIVILEGES

SET PASSWORD statement

/ / after logging in to MySQL as root, SET PASSWORD FOR root=PASSWORD ('new password')

Mysqladmin command

Mysqladmin-u root-p Old password New password

b. Turn off public network access

Set bind-address= IP binding internal IP in startup parameters or configuration file

Connect to the database with a root account, check for users with a host field value of% or non-localhost in the user table, change host to localhost or specify IP or delete unnecessary users

At this point, the study on "how to solve the baseline security problems of MySQL data services" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.