Mysql数据库安全管理配置
2015-08-28 14:58
711 查看
1.删除test库
原因:
The default MySQL installation comes with a database named test that anyone can access. This database is intended only for tutorials, samples, testing, etc. Databases named "test" and also databases with names starting with - depending on platform - "test" or "test_" can be accessed by users that do not have explicit privileges granted to the database. You should avoid such database names on production servers.
建议:
Drop databases named "test" and also all databases with names starting with - depending on platform - "test" or "test_" and remove all associated privileges.
具体操作:在主库上删除test库:
drop database test;
2. 删除root用户或者让root用户只可在本机登陆
原因:
The root User can log in remotely. It means that you can connect as root from remote hosts if you know the password. An attacker must guess the password, but may attempt to do so by connecting from remote hosts. However, if remote access is disallowed, the attacker can attempt to connect as the root user only after first gaining access to localhost.
The default MySQL installation includes a root account with super (full) privileges that is used to administer the MySQL server. The name root is created by default and is very well known. The literal value root does not have any significance in the MySQL privilege system. Hence there is no requirement to continue with the user name root.
建议:
a. rename the root mysql user to something obscure and disallow remote access (best for security).
b. if you still want to keep the root user for some reason, make sure remote access is disallowed. use the following sql: delete from mysql.user where user = "root" and host not in ('127.0.0.1','localhost',);flush privileges;
具体操作:
delete from mysql.user where user = "root" and host not in ('127.0.0.1','localhost',);
flush privileges;
在做删除root用户此步骤前需要依次确认 function、procedure、event、view、trigger的definer,如果有definer为root@%或root@xxx需要将之改为root@127.0.0.1或root@localhost,而且root@localhost或root@127.0.0.1需要被保留,除非将definer也改为其它。要不然在执行相应的定义时会拒绝执行。具体修改见《mysql如何修改所有的definer》
3.最小化生产库上的用户权限
准备用common_user来联接数据库,保留root的本地登陆,授权一个具有dba权限的新帐户:
grant insert,delete,update,select,execute on sp.* to 'common_user'@'127.0.0.1' identified by 'xxxxxx';
grant insert,delete,update,select,execute on sp.* to 'common_user'@'%' identified by 'xxxxxx';
grant all on *.* to ‘dba’@‘%’ identified by ‘xxxxxx’ with grant option;
flush privileges;
生产数据库上只需要有如上的帐户即可,其它的帐户可根据需求再作修改。
至此,生产库上的帐号管理权限安全配置告一段落。
原因:
The default MySQL installation comes with a database named test that anyone can access. This database is intended only for tutorials, samples, testing, etc. Databases named "test" and also databases with names starting with - depending on platform - "test" or "test_" can be accessed by users that do not have explicit privileges granted to the database. You should avoid such database names on production servers.
建议:
Drop databases named "test" and also all databases with names starting with - depending on platform - "test" or "test_" and remove all associated privileges.
具体操作:在主库上删除test库:
drop database test;
2. 删除root用户或者让root用户只可在本机登陆
原因:
The root User can log in remotely. It means that you can connect as root from remote hosts if you know the password. An attacker must guess the password, but may attempt to do so by connecting from remote hosts. However, if remote access is disallowed, the attacker can attempt to connect as the root user only after first gaining access to localhost.
The default MySQL installation includes a root account with super (full) privileges that is used to administer the MySQL server. The name root is created by default and is very well known. The literal value root does not have any significance in the MySQL privilege system. Hence there is no requirement to continue with the user name root.
建议:
a. rename the root mysql user to something obscure and disallow remote access (best for security).
b. if you still want to keep the root user for some reason, make sure remote access is disallowed. use the following sql: delete from mysql.user where user = "root" and host not in ('127.0.0.1','localhost',);flush privileges;
具体操作:
delete from mysql.user where user = "root" and host not in ('127.0.0.1','localhost',);
flush privileges;
在做删除root用户此步骤前需要依次确认 function、procedure、event、view、trigger的definer,如果有definer为root@%或root@xxx需要将之改为root@127.0.0.1或root@localhost,而且root@localhost或root@127.0.0.1需要被保留,除非将definer也改为其它。要不然在执行相应的定义时会拒绝执行。具体修改见《mysql如何修改所有的definer》
3.最小化生产库上的用户权限
准备用common_user来联接数据库,保留root的本地登陆,授权一个具有dba权限的新帐户:
grant insert,delete,update,select,execute on sp.* to 'common_user'@'127.0.0.1' identified by 'xxxxxx';
grant insert,delete,update,select,execute on sp.* to 'common_user'@'%' identified by 'xxxxxx';
grant all on *.* to ‘dba’@‘%’ identified by ‘xxxxxx’ with grant option;
flush privileges;
生产数据库上只需要有如上的帐户即可,其它的帐户可根据需求再作修改。
至此,生产库上的帐号管理权限安全配置告一段落。
相关文章推荐
- mysql 定时任务
- mysqladmin命令记忆
- mysql如何快速删除重复的数据
- mysql存储过程在动态SQL内获取返回值
- mysql高级语法- view视图操作
- 【MySQL】mysql join语法解析与性能分析
- Mysql时间函数
- 批量更新逗号隔开的名称 (部门里面将多个用逗号隔开的ID转换成用逗号隔开的名称)(mysql)
- mysql 索引类型以及创建
- MySQL 事件
- perl脚本远程连接mysql数据库
- 由浅入深探究mysql索引结构原理、性能分析与优化
- MySQL 的 RowNum 实现
- 关于 mysql中非null判断
- MYSQL 安全添加/移除column 脚本
- mysql常用函数
- MySQL MVCC 设计缺陷
- Data Base mysql批量操作
- MYSQL 取树型数据
- 公司一哥们整理的mysql查询语句优化