In production, safety is very important, after all, your core data is in it.MySQLBecause of its open source popularity, a large number of individuals, enterprises, and government units adopt it, but many deployments use default configurations, which leads to a relative lack of security, and you need to strengthen your security.
In general, the database is generally divided into production libraries.Pressure testLibrary, quasi-production library, test library, development library. The following section mainly talks about production libraries, but other libraries are also applicable.
1 mysql_secure_installation
This is the database basic security setup script
a Set root password
b Remove anonymous users
c Disable remote root login
d Remove the test database
The above is version 5.6, and 5.7 has been enhanced, but that's all. Let's see if there are any problems in your environment. This is the most basic security.
2 Connection access security
When creating a user, you need to specify your IP access address range or fixed IP. Generally speaking, only a few IPs will be accessed, or you can use proxy access to reduce the application's direct access to your database. Moreover, many middleware now also have a whitelisting mechanism, which in principle is to prevent illegal requests from being outside the database.
Standardize database management software, realize the standards and unification of management software, and strictly prohibit the use of external network access. If the client is remote, it should not directly access the database at all, but should use middleware bastion machines or other alternatives.
In order to prevent backdoors from applications connected to the database from posing a database security risk, check the security of all connected database programs. Direct operation of the database is prohibited by using bastion machines or other monitoring.
Standardize and unified management of connected IP network segments, conduct regular permission review operations, and sort out permissions for the IPs and users to which the system belongs.
Provide safety training for employees, enhance their systematic safety concepts, and ensure careful operation and safe operation.
Make sure that the host that accesses the database is a known user or host, and use a special host to connect to the database.
All actions of important business tables are audited, and all DDL operations are included in DBA.
Finally, there is the reporting system, which uses the audit related logs to issue a systematic audit report.
3 Permission security
There is nothing wrong with permissions. Following the principle of minimum permissions at the beginning of your resume and adhering to the principle of minimum permissions is an important step in database security.
Many times we don’t know what the specific minimum permissions are. What kind of permissions do you think are needed for an account to be appropriate and will not affect the business? This is not very well defined. We need to know the information when setting permissions, the permission level to be granted, the library level, table level, column level, or other super permissions, the permission types to be granted, the addition, deletion, modification and search, etc.
From the table
Select_priv/Insert_priv/Update_priv/Delete_priv/Create_priv/Drop_priv
Reload_priv/Shutdown_priv/Process_priv/File_priv/Grant_priv/References_priv
Index_priv/Alter_priv/Show_db_priv/Super_priv/Create_tmp_table_priv/Lock_tables_priv
Execute_priv/Repl_slave_priv/Repl_client_priv/Create_view_priv/Show_view_priv/Create_routine_priv/
Alter_routine_priv/Create_user_priv/Event_priv/Trigger_priv/Create_tablespace_priv
Username, IP address, whether the number of connections is required, SSL, expiration time, etc., don’t be afraid of trouble. It may be more cumbersome when setting it in the early stage. However, a good basic setting is the security guarantee, so as to give whatever you need, not.
4 Account security
User account division principle
Super Administrator Account
System application account (such as backup, monitoring, audit, etc.)
Application business account
Business personnel account
Developer Account
Tester account
Other special accounts
The main purpose is to prevent leakage. Non-essential personnel do not need to know the name of the account. At the same time, they need to formulate corresponding naming rules. In addition, use your own account password reasonably to protect your account password. For users who are absolutely necessary, disable it first and delete it later. There must be no anonymous accounts and no abandoned accounts.
5 Directory file security
Improve local security, mainly to prevent mysql from accessing local files, which will pose a threat to the system. There is also Load DATA LOCAL INFILE, disable this function.
This is mainly to prevent mistaken deletion. Non-permission users are prohibited from accessing directories, and so onData FileAccess is prohibited, or you can change the commonly used directory path, or use chroot to ensure that the directory cannot be accessed by unauthorized users and then packaged and copied away the database, so you must restrict access to the directory.
6 Password security
Password strength complexity
Try not to use fixed passwords, implement a separate password for each user, with a length of more than 16 digits 0-9a-zA-Z~!@#$%^&*()-+ random combination.
Password expiration mechanism
Set the password expiration time according to the company's situation and change it regularly. You cannot use duplicate passwords.
Password saving mechanism
For convenience of management, a password table may be used. To strengthen the maintenance and update of the password table, the most important thing is to ensure that there is no leakage.
7 Vulnerability Security
The conventional way is to install patches, but this is often troublesome, mainly version upgrades, and protection strategies.
8 Neglected SSL
becauseperformanceOr other reasons, many production environments are not used, but starting from 5.7+, it has been much better. If necessary, you can actually try it.
/doc/refman/5.7/en/
9 Firewall Security
There will be a main wall in front of a general database, but from the perspective of cost, many companies are single or naked, with their ownhardwareThe best firewall is. If you don’t have one, you can use the system’s own firewall, and then add other whitelists and middleware whitelist filtering auxiliary measures to prevent some problems.
10 port security
The default port is 3306, which is best to modify. For the sake of memory, you can encrypt and dynamically adjust it according to the IP address. However, if the production network allows it, it can also be modified regularly. It is best not to affect the R&D progress.
11 Record security
Delete sensitive data recorded by the operating system, such as .mysql_history, .bash_history, etc., and clean, remove and disable the .mysql_history file in time.
People are the dominant part of security. The management object should be viewed from two perspectives. From an information perspective, it is the security of MySQL itself, which should prevent data loss and avoid damage; from a technical perspective, it is the security of the entire system, which should prevent the system from being paralyzed and avoid damage.
Finally, let’s talk about the off-topic: monitoring and auditing. Safety is mainly about preventing problems before they happen. No one wants to receive various alarms all day long. It is best to set detailed rules and regulations based on the actual situation of the company. Don’t think this is troublesome. Some of them may not be useful, but what about? I hope there is no but.