How to make MySQL secure against cracker This article comes from: http://www.gouhuo.com Author: (2001-07-21 09:05:00)
When you connect a MySQL server, you should usually use a password. The password is not transmitted in a clear text. All other information is transmitted as text that can be read by anyone. If you are worried about this, you can use a compression protocol (mysql3.22 and above) make things harder. Even in order to make everything safer, you should install SSH (see http://www.cs.hut.fi/ssh). With it, you can get an encrypted TCP / IP connection between a MySQL server with a mysql client. In order to make a mysql system security, you strongly ask you to consider the following recommendations: Use passwords for all MySQL users. Remember, if other_user has no password, anyone can log in as any other person with mysql -u other_user db_name. For client / server applications, customers can specify any user names is a common practice. Before you run it, you can change all users' passwords by editing mysql_install_db scripts, or just mysql root password, like this: shell> mysql -u root mysql mysql> Update user set password = password ('new_password') Where user = 'root'; mysql> flush privilege; Do not run the mysql daemon as a UNIX root user. MySQLD can run in any user, you can also create a new UNIX user mysql makes everything safer. If you run mysqld as other UNIX users, you don't need to change the root username in the USER table, because MySQL username doesn't matter from UNIX username. You can edit the mysql.server to start the script mysqld as other UNIX users. Usually this is done with the su command. For more details, see how 18.8 runs as a general user runs mysql. If you put a UNIX root user password in the mysql.server script, make sure this script can only be readable to root. Check that UNIX users running MySQLD are unique users with read / write permissions in the database directory. Don't give Process permissions to all users. The output of MySQLADMIN ProcessList shows the currently executed query body, if another user issues an UPDATE User Set Password = Password ('not_secure') query, any user that is allowed to execute the command may be seen. MySQLD keeps an additional connection for users with Process permissions so that a MySQL root user can log in and check, even if all normal connections are used. Don't give File permissions to all users. Any user with this permission can write a file in a file system with mysqld daemon permission! In order to make this more secure, all files generated by Select ... INTO OUTFILE are readable for each person, and you cannot overwrite the existing files. File permissions can also be used to read any files available as UNIX users running the server. This may be abuse, for example, by loading "/ etc / passwd" in using Load Data, then it can be read with SELECT. If you don't trust your DNS, you should use IP numbers in the license list instead of host name. In principle, - Secure Options should make the host name more secure to mysQLD. In any case, you should use the host name containing wildcards very carefully!
