Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to deal with MySQL attacks in detail. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

In the face of MySQL attacks, administrators should try their best to ensure the security of the server. The following article will show you how to be secure in the face of MySQL attacks.

When you connect to the MySQL server, you should use a password. Passwords are not transmitted in clear text. Password handling in the client connection sequence has been upgraded and secure in MySQL 4.1.1. If you still use pre-4.1.1--style passwords, the encryption algorithm is not as strong as the new algorithm; with some work, smart attackers who can steal communication between the client and the server can crack the password. If the connection between the client and the server is over an untrusted network, you should use an SSH tunnel to encrypt the communication.

Other information is sent in text and can be read by anyone who can see the connection. If you're worried about this, you can use a compression protocol to make the communication more difficult to decrypt. To make the connection more secure, you should use SSH to obtain an encrypted TCP/IP connection between the MySQL server and the MySQL client. (note: you can also use MySQL internal OpenSSL support. )

In order to make your MySQL system secure, you are strongly required to consider the following recommendations:

◆ uses passwords for all MySQL users. The client program does not need to know the identity of the person running it. For client / server applications, the user can specify the user name of the client program. For example, if other_user does not have a password, anyone can simply use mysql-u other_user db_name to call a mysql program to connect with someone else and carry out a MySQL attack. If all users have passwords, it is much more difficult to connect using other users' accounts.

To change a user's password, use the SET PASSWORD statement. You can also update the user table in the mysql database directly. For example, to change the password of the MySQL account of all root users.

The following is the referenced content:

Shell > mysql-u root

Mysql > UPDATE mysql.user SET Password=PASSWORD ('newpwd')

-> WHERE User='root'

Mysql > FLUSH PRIVILEGES

Never run the MySQL server as the root user of Unix. This is dangerous because any user with FILE privileges can create files with root (for example, ~ root/.bashrc). As a precaution, mysqld refuses to run with root unless explicitly specified using the-- user=root option.

You should be able (and should) run mysqld as an ordinary non-privileged user. You can create a separate mysql account in Unix to make all your content more secure. This account is only used to manage MySQL. To start mysqld with another Unix user, add the user option to specify the user name of the [mysqld] group in the / etc/my.cnf option file or in the my.cnf option file of the server data directory. For example:

The following is the referenced content:

[mysqld]

User=mysql

This command causes the server to start with the specified user, whether you start it manually or via mysqld_safe or mysql.server.

As another Unix user running mysqld without root, you do not need to change the root user name in the user table, because the user name of the MySQL account has nothing to do with the user name of the Unix account.

◆ do not allow symbolic links for tables. (you can disable it with the-- skip-symbolic-links option). It's especially important if you run mysqld with root, because anyone with write access to the server's data directory can delete any file on the system!

◆ ensures that mysqld runs with only Unix users who have read or write permissions to the database directory.

◆ do not grant PROCESS or SUPER permissions to non-administrative users. The output of mysqladmin processlist shows the body of the currently executed query, which may be visible to any user who is allowed to execute that command if another user issues a UPDATE user SET password=PASSWORD ('not_secure') query.

Mysqld reserves an extra connection for users with SUPER privileges, so even if all normal connections are occupied, MySQL root users can still log in and check server activity.

You can use SUPER permissions to terminate client connections, change the server operation of the service by changing the value of the system variable, and control the replication server to prevent MySQL attacks.

◆ do not grant FILE permissions to non-administrative users. Any user with this permission can write a file on a file system with mysqld daemon privileges! For greater security, SELECT... All files generated by INTO OUTFILE are writable to everyone, and you cannot overwrite files that already exist.

File permissions can also be used to read any file that can be read or accessed by a Unix user running the server. With this permission, you can read any file into the database table. This can be abused, for example, by loading "/ etc/passwd" into a database table using LOAD DATA, and then displaying it in SELECT.

◆ if you don't trust your DNS, you should use the IP number instead of the hostname in the authorization table. In any case, you should be very careful to use hostnames that contain wildcards to create authorization table entries to prevent MySQL attacks!

◆ if you want to limit the number of connections allowed for a single account, you can set the max_user_connections variable in mysqld to do so. The GRANT statement can also support resource control options to limit the scope of use allowed by the server for an account.

This is the end of the article on "how to deal with MySQL attacks safely". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.