1.3 简单安全加固

1.3.1 登录MySQL

MySQL 5.6.x初始化完成并启动之后,可以使用免密码的root用户登录MySQL,同时查看MySQL版本和登录用户是否是想要的结果。

[root@localhost mysql]# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.35-log MySQL Community Server(GPL)
Copyright(c)2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help; ' or '\h' for help. Type '\c' to clear the current input statement.
# 查看当前登录用户
mysql> select user();
+----------------+
| user()        |
+----------------+
| root@localhost |
+----------------+
1 row in set(0.00 sec)
# 查看当前MySQL版本是否正确
mysql> select version();
+------------+
| version() |
+------------+
| 5.6.35-log |
+------------+
1 row in set(0.00 sec)

1.3.2 删除非root或非localhost的用户并修改root密码

在默认情况下,MySQL初始化完成之后,创建了一些默认用户:匿名用户、允许127.0.0.1和localhost登录的非root用户,建议删除这些无用且可能给数据库带来安全风险的用户。

提示:MySQL安全加固也可以使用命令行工具mysql_secure_installation,根据提示一步一步执行即可。

mysql> select user, host from mysql.user;
+------+------------------------+
| user | host                   |
+------+------------------------+
| root | 127.0.0.1              |
| root | ::1                    |
|      | localhost              |
| root | localhost              |
|      | localhost.localdomain  |
| root | localhost.localdomain  |
+------+------------------------+
6 rows in set(0.00 sec)
mysql> delete from mysql.user where user! ='root' or host! ='localhost';
Query OK, 5 rows affected(0.01 sec)
## 如果是MySQL 5.7.x 较新的版本或者8.0.x版本,则删除操作需要排除几个系统用户
mysql>DELETE FROM mysql.user WHERE user NOT IN('mysql.sys', 'mysql.session', 'mysqlxsys', 'root', 'mysql.infoschema')OR host NOT IN('localhost');
# 查看删除结果是否正确
mysql> select user, host from mysql.user;
+------+-----------+
| user | host      |
+------+-----------+
| root | localhost |
+------+-----------+
1 row in set(0.00 sec)
mysql> set password for 'root'@'localhost' = PASSWORD('admin');  #  MySQL 5.7.x 版本中可以不需要PASSWORD函数,直接使用明文密码也可以自动转换为加密格式密码写入mysql.user表中,且该用法将在后续版本中移除
Query OK, 0 rows affected(0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected(0.00 sec)
mysql>
# 重新使用新密码登录MySQL
[root@localhost mysql]# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.6.35-log MySQL Community Server(GPL)
Copyright(c)2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help; ' or '\h' for help. Type '\c' to clear the current input statement.
mysql>

1.3.3 删除test库,清理mysql.db表

在默认情况下,MySQL 5.6.x初始化安装之后会生成一个测试用途的test库,这个库在生产环境中一般不需要使用,如果确定不使用,请删除。

在默认情况下,MySQL 5.6.x初始化完成MySQL之后,在mysql.db库级别权限表中会有针对test库的任意用户、任意地址的访问权限,即:无任何权限用户或匿名用户登录到MySQL中都可以对test库进行任意操作。因此,建议MySQL完成初始化安装之后,清理这些不安全的用户或删除mysql.db表中对test库预设的访问权限。

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| test               |
+--------------------+
4 rows in set(0.00 sec)
mysql> drop database test;
Query OK, 0 rows affected(0.00 sec)
# 查看删除结果是否正确
mysql> show databases;
+--------------------+
| Database            |
+--------------------+
| information_schema |
| mysql               |
| performance_schema |
+--------------------+
3 rows in set(0.00 sec)
mysql> select * from mysql.db\G  # MySQL 5.7.x版本移除了test库之后,该库的权限也没有了,但增加了sys库,有对应的sys库的默认权限,所以5.7.x版本忽略清理该表
*************************** 1. row ***************************
                Host: %
                  Db: test
                User:
          Select_priv: Y
          Insert_priv: Y
          Update_priv: Y
          Delete_priv: Y
          Create_priv: Y
            Drop_priv: Y
          Grant_priv: N
      References_priv: Y
          Index_priv: Y
          Alter_priv: Y
Create_tmp_table_priv: Y
    Lock_tables_priv: Y
    Create_view_priv: Y
      Show_view_priv: Y
  Create_routine_priv: Y
  Alter_routine_priv: N
        Execute_priv: N
          Event_priv: Y
        Trigger_priv: Y
*************************** 2. row ***************************
                Host: %
                  Db: test\_%
                User:
          Select_priv: Y
          Insert_priv: Y
          Update_priv: Y
          Delete_priv: Y
          Create_priv: Y
            Drop_priv: Y
          Grant_priv: N
      References_priv: Y
          Index_priv: Y
          Alter_priv: Y
Create_tmp_table_priv: Y
    Lock_tables_priv: Y
    Create_view_priv: Y
      Show_view_priv: Y
  Create_routine_priv: Y
  Alter_routine_priv: N
        Execute_priv: N
          Event_priv: Y
        Trigger_priv: Y
2 rows in set(0.00 sec)
mysql> truncate mysql.db;
Query OK, 0 rows affected(0.00 sec)
## 如果是MySQL 5.7.x 较新的版本或者8.0.x版本,则清理操作需要排除几个系统用户
mysql>DELETE FROM mysql.db where user NOT IN('mysql.sys', 'mysql.session', 'mysqlxsys', 'root', 'mysql.infoschema')OR host NOT IN('localhost');
# 查看清理结果是否正确
mysql> select * from mysql.db\G
Empty set(0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected(0.00 sec)
mysql>

提示:MySQL 5.7.x版本移除了test库,因此也就不存在删除test库这个步骤了。但如果有使用test库的需要,则可自行创建。