Foreword
MySQL has become one of the most used databases in the current network, especially in web applications, which occupies the absolute advantage of small and medium-sized applications. All this is from its small and easy to use, its security is effective, its open license, its multi-platform, more mainly combined with the three major web languages - php.
But unfortunately, a default secure mysql will cause the root password to be overflow because the root password is overflow, so that the server installing MySQL is an object that is often attacked. More serious is that the database is often destroyed after being attacked, causing catastrophic consequences. The following will enter the defense war for protecting data.
Environmental requirements
1. System environment
A Red Hat 9.0 custom installed server, the system is installed with some other software packages, such as Apache, PHP, etc. The first thing after installing the system is the upgrade system package. As a web server, the system accepts a request for the PHP script, and PHP uses the MySQL database to be installed as a dynamic release of the MYSQL database.
The requirements of the partition situation and the general system are similar, and the only difference is that the back-established / chroot and / TMP requirements are on the same partition.
2. Security requirements
(1) MySQL runs in a separate (chroot) environment;
(2) MySQLD process runs under a separate user / user group,
This user and user group do not have a root directory, no shell, or other programs;
(3) Modify the mysql root account and use a complex password;
(4) Only the local connection of MySQL is allowed, and the network connection is prohibited when starting MySQL;
(5) Ensure that the Nobody account to connect MySQL is disabled;
(6) Delete the Test database.
Install mysql
1. Installation preparation
Before installing MySQL, you need to create a user and group used to start MySQL.
#groupadd mysql
# uSERADD MYSQL -C "Start MySQLD's Account" -d / dev / null -g mysql -s / sbin / nologin
2. Compilation and installation
Download Mysql Source Pack:
#Wget http://mysql.he.Net/downloads/mysql-4.0/mysql-4.0.16.tar.gz
unzip:
#tar -zxvf mysql-4.0.16.tar.gz
Generally mounted mysql under / usr / local / mysql, if there is special requirements, you can adjust it. However, this is not big, because Chrooting will only use the customer tool here, such as mysql, mysqladmin, mysqldump, etc. Let's start compiling and install.
#. / configure --Prefix = / usr / local / mysql /
--with-mysqld-user = mysql /
--with-unix-socket-path = / tmp / mysql.sock /
--with-mysqld-ldflags = -all-static
#make && make install
#strip / usr / local / mysql / libexec / mysqld
# scripts / mysql_install_db
#Chown -R root / usr / local / mysql
#Chown -R mysql / usr / local / mysql / var
#chgrp -r mysql / usr / local / mysql The specific role of the following steps has been introduced in the MySQL manual, and the only one need to explain, and the general steps are --With-mysqld-ldflags = -all-static. Because you need to use the Chroot environment, you don't have to create some library environments after connecting the mysql itself.
3. Configuration and start
MySQL profile requires manual selection, copying one of several template files Under / ETC, these template files are located in the source file of the Support-Files directory, a total of 4: Small, Medium, Large, Huge.
#CP support-files / my-medium.cnf /etc/my.cnf
#Chown root: Sys /etc/my.cnf
#CHMOD 644 / Etc/my.cnf
Start mysql, pay attention to the user's mysql:
# / usr / local / mysq / bin / mysqld_safe --user = mysql &
4. test
In order to test whether the installed program is correct and whether MySQL has started normal, the best way is to connect to the database with the MySQL client.
# / usr / local / mysql / bin / mysql
[root @ ftp bin] # mysql
Welcome to the mysql monitor. Commands end with; or / g.
Your MySQL Connection ID IS 687 TO Server Version: 3.23.58
Type 'help;' or '/ h' for help. Type '/ c' to clear the buffer.
MySQL>
mysql> show data;
------------
| Database |
------------
| mysql |
| Test |
------------
2 rows in set (0.00 sec)
Mysql> quit
Connection is successful, you can close the database:
# / usr / local / mysql / bin / mysqladmin-uroot shutdown
If the connection fails, you need to carefully analyze the reason:
#more /usr/local/mysql/var/`hostname`.err
Chrooting
1. Chrooting environment
Chroot is a means of UNIX / class UNIX. Its establishment will almost completely isolate it with the main system, that is, once you have, it will not endanger the main system being running. This is a very effective way, especially when configuring web service programs.
2. Accurate work in Chroot
First, the directory structure shown in Figure 1 should be established:
Figure 1 directory structure
#mkdir -p / chroot / MySQL / DEV
#mkdir -p / chroot / mysql / etc
#mkdir -p / chroot / mysql / tmp
#mkdir -p / chroot / mysql / var / tmp
#mkdir -p / chroot / mysql / usr / local / mysql / libexec
#mkdir -p / chroot / mysql / usr / local / mysql / share / mysql / ney
Then set the directory permissions:
#Chown -r root: Sys / Chroot / MySQL
#CHMOD -R 755 / ChROOT / MYSQL
#CHMOD 1777 / Chroot / MySQL / TMP3. Copy the programs and files under MySQL to Chroot
#cp -p / usr / local / mysql / libexec / mysqld / chroot / mysql / usr / local / mysql / libexec /
#cp -p /usr/local/mysql/share/mysql/ENGLISH/ERRMSG.SYS
/ chroot / mysql / usr / local / mysql / share / mysql / english /
#CP -P / etc / hosts / chroot / mysql / etc /
#cp -p /etc/host.conf / chroot / mysql / etc /
#cp -p /etc/resolv.conf / chroot / mysql / etc /
#cp -p / etc / group / chroot / mysql / etc /
#cp -p / etc / passwd / chroot / mysql / etc / passwd
#CP -P /etc/my.cnf / chroot / mysql / etc /
4. Edit the Passwd file and group file under Chroot
#vi / chroot / etc / passwd
Delete all rows in addition to mysql, root, sys
#vi / chroot / etc / group
Delete all lines in addition to mysql, root
5. Create a special device file / dev / null
Refer to the system's appearance:
#ls -al / dev / null
CRW-RW-RW- 1 root root 1, 3 Jan 30 2003 / dev / null
#mknod / chroot / mysql / dev / null c 1 3
#Chown root: root / chroot / mysql / dev / null
#CHMOD 666 / Chroot / MySQL / dev / null
6. Copy MySQL database file to chroot
#CP -R / USR / Local / MySQL / VAR / / CHROOT / MySQL / USR / local / mysql / var
#Chown -R mysql: mysql / chroot / mysql / usr / local / mysql / var
7. Install chrootuid program
Download Chrootuid, then the RPM is installed.
Http://rpm.pbone.net/index.php3/stat/4/idpl/355932/com/
Chrootuid-1.3-alt2.i586.rpm.html
8. Test the mysql configuration in the chroot environment
#chrootuid / chroot / mysql mysql / usr / local / mysql / libexec / mysqld &
If you fail, please pay attention to the permissions below the chroot directory.
9. Test the mysql under chroot
# / usr / local / mysql / bin / mysql --socket = / chroot / mysql / tmp / mysql.sock
............
mysql> show data;
Mysql> Create Database WGH;
mysql> quit;
#ls -al / chroot / mysql / var /
...............
Server
In order to use MySQL more secure, you need to securely configure the MySQL database; and due to Chroot reasons, the configuration file will vary.
1. Turn off remote connection
First, the 3306 port should be turned off, which is the default listening port of MySQL. Since MySQL is only served on the local script, it is not necessary to remotely. Although the security mechanism of MySQL builds is strict, listening to a TCP port is still a dangerous behavior, because if the mysql program itself has a problem, unauthorized access can fully bypass MySQL built-in security mechanism. Turning off the network listening method is simple, in the [MySQLD] section in the /chroot/mysql/etc/my.cnf file, remove the "#" in front of the # skip-networking. Close the network, how do local programs connect the MySQL database? Local programs can be connected via mysql.sock, and the speed is faster than the network connection. The details about mysql.sock will be mentioned later.
Mysql's backups are usually implemented using SSH!
2. Prohibit MySQL to import local files
Here, the "Load Data Local Infile" command will be prohibited in mysql. This command will use MySQL to read local files into the database, and then users can illegally obtain sensitive information. It is also useful in some of the attack methods flowing on the Internet. It is also a means of many newly discovered SQL INJECTION attacks!
In order to prohibit the above command, join the [mysqld] section of the /chroot/mysql/etc/my.cnf file:
Set-variable = local-infile = 0
To manage convenience, usually the mysql management commands in the system such as mysql, mysqladmin, mysqldump, etc. are all systems /etc/my.cnf files. If you want to connect, it will look for the /TMP/mysql.sock file to try to connect the MySQL server, but here is the mysql server under Chroot, the solution has two: one is to join after the management command - Socket = / Chroot / mysql / tmp / mysql.sock. E.g:
# / usr / local / mysql / bin / mysql -root -p --socket = / chroot / mysql / tmp / mysql.sock
The second is to add Socket = / chroot / mysql / tmp / mysql.sock in the [Client] section of /etc/my.cnf. Obviously, the second method is more convenient.
3. Modify the mysql root user ID and password
#chrootuid / chroot / mysql mysql / usr / local / mysql / libexec / mysqld &
# / usr / local / mysql / bin / mysql -uroot
...............
Mysql> Set Password for root @ localhost = password ('new_password');
Try to develop a habit of entering a password under MySQL, because the shell is entered below, it may be seen by other people.
Mysql> USE Mysql;
MySQL> Update User Set User = "wghgreat" where user = "root";
Mysql> SELECT HOST, User, Password, SELECT_PRIV, GRANT_PRIV from User
Mysql> delete from user where user = '';
Mysql> delete from user where password = '';
Mysql> delete from user where host = '%';
mysql> DROP DATABASE TEST;
mysql> flush privileges;
mysql> quit;
Modify it to a ID that is not easy to guess
4. Delete history command record
These historical documents include ~ / .bash_history, ~ / .mysql_history, etc. If you open them, you will be shocked, how do you actually have some clear text? !
#cat / dev / null> ~ / .bash_history
#cat / dev / null> ~ / .mysql_history
PHP and MySQL communication
By default, PHP will communicate with MySQL via /tmp/mysql.sock, but a big problem here is that mysql generated is not it, but /chroot/mysql/tmp/mysql.sock. The solution is to do a connection:
#LN / Chroot/mysql/tmp/mysql.sock /TMP/Mysql.sock
Note: Since Hard Links cannot do between the partition of the file system, the connection must be within the same partition.
Self-start configuration
Since the startup configuration, you can prompt: i.e., the database for PHP needs to use a new account, which has database permissions settings, such as File, Grant, Acter, Show Database, Reload, Shutdown, Process, Super, etc.
Self-started script example:
#! / bin / sh
Chroot_mysql = / chroot / mysql
Socket = / TMP / mysql.sock
MySQLD = / usr / local / mysql / libexec / mysqld
Pidfile = / usr / local / mysql / var / `Hostname`.pid
Chrootuid = / usr / bin / chrootuid
echo -n "mysql"
Case "$ 1" in
START)
RM-RF $ {socket}
Nohup $ {chrootuid} $ {chroot_mysql} mysql $ {mysqld}> / dev / null 2> & 1 & 1
Sleep 5 && ln $ {chroot_mysql} / $ {socket} $ {socket}
;
STOP)
Kill `Cat $ {chroot_mysql} / $ {pidfile}`
RM -RF $ {chroot_mysql} / $ {socket}
;
*)
echo ""
Echo "USAGE:` BaseName $ 0` {Start | Stop}> & 2
EXIT 64
;
ESAC
EXIT 0
The file is located under /etc/rc.d/init.d, named mysqld, pay attention to executive.
#CHMOD X /etc/rc.d/init.d/mysqld
#LN -s /etc/rc.d/ininit.d/mysql /etc/rc3.d/s90mysql
#LN -s /etc/rc.d/init.d/mysql /etc/rc0.d/k20mysql
Conclusion: Although we can't do 100% security, these measures can protect our system more secure!
Reference:
Artur MAJ "Securing MySQL"
Xuzhikun "Mysql Database Security Configuration"
子 "Mysql Chinese Reference Manual"
