MySQL has become one of the most used databases in the current network, especially in web applications, which occupies the absolute advantage of small and medium-sized applications. All of this is derived from its small and easy, safe and effective, open license, and multi-platform, which is more important to one of the three Web languages - PHP.
But unfortunately, a default secure mysql will cause the root password to be overflow because the root password is overflow, so that the server installing MySQL is an object that is often attacked. More serious is that the database is often destroyed after the attack, which is easy to cause disastrous consequences. The following will enter the defense war for protecting data.
Environmental requirements
1. System environment
There is a RED HAT Linux 9.0 custom installation server, and the system is installed with GCC and some packages, such as Apache, PHP, etc. The first thing after installing the system is the upgrade system package. As a web server, the system accepts a request for the PHP script, and PHP uses the MySQL database to be installed as a dynamic release of the MYSQL database.
The requirements of the partition situation and the general system are similar, and the only difference is that the back-established / chroot and / TMP requirements are on the same partition.
2. Security requirements
(1) MySQL runs in a separate (chroot) environment; (2) MySQLD process runs under a separate user / user group, without the root directory, no shell, or other programs; (3) Modify the ROOT account of MySQL and use a complex password; (4) only allow local connection MySQL, the network connection is disabled when starting MySQL; (5) guarantee that the Nobody account login to connect MySQL is disabled; (6) Delete the Test database.
Install mysql
1. Installation preparation
Before installing MySQL, you need to create a user and group used to start MySQL.
#groupadd mysql # UserAdd MySQL -C "Start MySqld's Account" -d / dev / null -g mysql -s / sbin / nologin
2. Compilation and installation
Download Mysql Source Pack:
#Wget http://mysql.he.Net/downloads/mysql-4.0/mysql-4.0.16.tar.gz
unzip:
#tar -zxvf mysql-4.0.16.tar.gz
Generally mounted mysql under / usr / local / mysql, if there is special requirements, you can adjust it. However, this is not big, because Chrooting will only use the customer tool here, such as mysql, mysqladmin, mysqldump, etc. Let's start compiling and install.
#. / configure --prefix = / usr / local / mysql / --with-mysqld-user = mysql / --with-unix-socket-path = / tmp / mysql.sock / --with-mysqld-ldflags = -all-static # make && make install # Strip / usr / local / mysql / libexec / mysqld # scripts / mysql_install_db # chown -r root / usr / local / mysql # chown -r mysql / usr / local / mysql / var # chgrp -r mysql / usr / local / mysql
The specific role of the above steps has been introduced in the MySQL manual, and the only one need to explain, and the general steps are --with-mysqld-ldflags = -all-static. Because you need to use the Chroot environment, you don't have to create some library environments after connecting the mysql itself. 3. Configuration and start
MySQL profile requires manual selection, copying one of several template files Under / ETC, these template files are located in the source file's Support-Files directory, a total of 4: Small, Medium, Large, Huge.
#CP support-files / my-medium.cnf /etc/my.cnf#chown root: Sys /etc/my.cnf#chmod 644 /etc/my.cnf
Start mysql, pay attention to the user's mysql:
# / usr / local / mysq / bin / mysqld_safe --user = mysql &
4. test
In order to test whether the installed program is correct and whether mysql has been started normally, the best way is to connect to the database with the MySQL client.
# / usr / local / mysql / bin / mysql [root @ ftp bin] # mysqlwelcome to the mysql monitor. commands endh; or /g.your mysql connection ID is 687 to Server version: 3.23.58type 'help;' or '/ h' for help. type '/ c' to clear the buffer.mysql> mysql> show databases; -------------- | Database | -------- -------- | MySQL || Test | -------------- 2 Rows in set (0.00 sec) mysql> quit
Connection is successful, you can close the database:
# / usr / local / mysql / bin / mysqladmin-uroot shutdown
If the connection fails, you need to carefully analyze the reason:
#more /usr/local/mysql/var/`hostname`.err
Chrooting
1. Chrooting environment
Chroot is a means of UNIX / class UNIX, and its establishment will almost completely isolated from the main system. In other words, once you have, it is not endangered by the main system being running. This is a very effective way, especially when configuring web service programs.
2. Preparation of Chroot
First, the directory structure shown in Figure 1 should be established:
#mkdir -p / chroot / mysql / dev # mkdir -p / chroot / mysql / etc # mkdir -p / chroot / mysql / TMP # mkdir -p / chroot / mysql / var / tmp # mkdir -p / chroot / mysql / usr / local / mysql / libexec # mkdir -p / chroot / mysql / usr / local / mysql / share / mysql / ney
Figure 1 directory structure
Then set the directory permissions:
#Chown -r root: sys / chroot / mysql # chmod -r 755 / chroot / mysql # chmod 1777 / chroot / mysql / tmp
3. Copy the programs and files under MySQL to Chroot
#CP -P / usr / local / mysql / limited / mysql / usr / local / mysql / libexec / # cp -p /usr/local/mysql/share/mysql/english/errmsg.sys/chroot/ Mysql / usr / local / mysql / share / mysql / eNGLISH / # cp -p / etc / hosts / chroot / mysql / etc / # cp -p /etc/host.conf / chroot / mysql / etc / # cp -p /etc/resolv.conf / chroot / mysql / etc / # cp -p / etc / group / chroot / mysql / etc / # cp -p / etc / passwd / chroot / mysql / etc / passwd # CP -P / ETC /my.cnf / chroot / mysql / etc / 4. Edit the Passwd file and group file under Chroot
#vi / chroot / etc / passwd
If you open a passwd file as above, remove all rows in addition to mysql, root, sys.
#vi / chroot / etc / group
If the above command opens a group file, remove all rows in addition to mysql, root.
5. Create a special device file / dev / null
Refer to the system's appearance:
#LS -AL / dev / nullcrw-rw-rw- 1 root root 1, 3 Jan 30 2003 / dev / null # mknod / chroot / mysql / dev / null c 1 3 # chown root: root / chroot / mysql / dev / NULL # chmod 666 / chroot / mysql / dev / null
6. Copy MySQL database file to chroot
#CP -R / USR / Local / mysql / usr / / / / / / / / / mysql / var # chown -r mysql: mysql / chroot / mysql / usr / local / mysql / var
7. Install chrootuid program
Download Chrootuid, then the RPM is installed.
Http://rpm.pbone.net/index.php3/stat/4/idpl/355932/com/chrootuid-1.3-alt2.i586.rpm.html
8. Test the mysql configuration in the chroot environment
#chrootuid / chroot / mysql mysql / usr / local / mysql / libexec / mysqld &
If you fail, please pay attention to the permissions below the chroot directory.
9. Test the mysql under chroot
# / usr / local / mysql / bin / mysql --socket = / chroot / mysql / tmp / mysql.sock ....... mysql> show databases; mysql> create database wgh; mysql> quit; #ls - Al / chroot / mysql / var / .......
Server
In order to use MySQL more secure, you need to securely configure the mysql database. Due to Chroot reasons, the configuration file will vary.
1. Turn off remote connection
First, the 3306 port should be turned off, which is the default listening port of MySQL. Since MySQL is only served on the local script, it is not necessary to remotely. Although the security mechanism of MySQL builds is strict, listening to a TCP port is still a dangerous behavior, because if the mysql program itself has a problem, unauthorized access can fully bypass MySQL built-in security mechanism. Turning off the network listening method is simple, in the [MySQLD] section in the /chroot/mysql/etc/my.cnf file, remove the "#" in front of the # skip-networking. Close the network, how do local programs connect the MySQL database? Local programs can be connected via mysql.sock, and the speed is faster than the network connection. The details about mysql.sock will be mentioned later.
Mysql's backups are typically performed using SSH.
2. Prohibit MySQL to import local files
The "Load Data Local Infile" command will be prohibited in mysql. This command will use MySQL to read local files into the database, and then users can illegally obtain sensitive information.
In order to prohibit the above command, add the following statement in the [MySQLD] section of the /chroot/mysql/etc/my.cnf file:
Set-variable = local-infile = 0
To manage convenience, usually the mysql management commands in the system such as mysql, mysqladmin, mysqldump, etc. are all systems /etc/my.cnf files. If you want to connect, it will look for the /TMP/mysql.sock file to try to connect to the MySQL server, but here is to connect to the MySQL server under Chroot. There are two solutions: one is to join - Socket = / chroot / mysql / tmp / mysql.sock after the management command. E.g:
# / usr / local / mysql / bin / mysql -root -p --socket = / chroot / mysql / tmp / mysql.sock
The other is to join Socket = / chroot / mysql / tmp / mysql.sock in the [Client] section of /etc/my.cnf. Obviously, the second method is more convenient.
3. Modify the mysql root user ID and password
#chrootuid / chroot / mysql mysql / usr / mysqld & # / usr / local / mysql / bin / mysql -uroot ....... mysql> set password for root @ localhost = password (' New_password ');
To try to develop a password under MySQL, because the shell is entered below, it may be seen by others.
MySQL> Update User Set User = "wghgreat" where user = "root"; mysql> select_priv, usr, password, select_priv, grant_priv from user where user = '; mysql> Delete from user where password = ''; mysql> delete from user where host = '%'; mysql> DROP DATABASE TEST D;
Modify to a note that is not easy to guess:
Mysql> Flush Privileges; mysql> quit;
4. Delete history commands Record these historical files include ~ / .bash_history, ~ / .mysql_history, etc. If you open them, you will be shocked, how do you actually have some clear text? !
#cat / dev / null> ~ / .bash_history # cat / dev / null> ~ / .mysql_history
PHP and MySQL communication
By default, PHP will communicate with MySQL via /tmp/mysql.sock, but a big problem here is that mysql generated is not it, but /chroot/mysql/tmp/mysql.sock. The solution is to do a connection:
#LN / Chroot/mysql/tmp/mysql.sock /TMP/Mysql.sock
Note: Since Hard Links cannot do between the partition of the file system, the connection must be within the same partition.
Self-start configuration
Since startup configuration, you can prompt a little, the database used for PHP needs to use a new account, with database permissions settings, such as File, Grant, Acter, Show Database, Reload, Shutdown, Process, Super, etc.
Self-started script example:
#! / Bin / shCHROOT_MYSQL = / chroot / mysql SOCKET = / tmp / mysql.sockMYSQLD = / usr / local / mysql / libexec / mysqldPIDFILE = / usr / local / mysql / var / `hostname`.pidCHROOTUID = / usr / bin / chrootuidecho -n "mysql" case "1" instart) rm -rf {socket} nohup {chrootuid} {chroot_mysql} mysql {mysqld}> / dev / null 2> & 1 & Sleep 5 && ln {chroot_mysql} / {socket} {Socket} ;; stop) Kill `Cat {chroot_mysql} / {pidfile}` rm -rf {chroot_mysql} / {socket} ;; *) echo "echo" usage: `basename 0` {start | stop}> & 2 EXIT 64 ;; ESACEXIT 0
The file is located under /etc/rc.d/init.d, named mysqld, pay attention to executive.
#Chmod X /etc/rc.d/init.d/mysqld#ln -s /etc/rc.d/init.d/mysql /etc/rc3.d/s90mysql#ln -s /etc/rc.d /init.d/mysql /etc/rc0.d/k20mysql
Although the 100% secure can not be achieved, these measures protect our system safer.
