Mysql數據庫安全管理配置

1.刪除test庫

原因：

The default MySQL installation comes with a database named test that anyone can access. This database is intended only for tutorials, samples, testing, etc. Databases named "test" and also databases with names starting with - depending on platform - "test" or "test_" can be accessed by users that do not have explicit privileges granted to the database. You should avoid such database names on production servers.

建議：

Drop databases named "test" and also all databases with names starting with - depending on platform - "test" or "test_" and remove all associated privileges.

具體操作：在主庫上刪除test庫：

drop database test;

2. 刪除root用戶或者讓root用戶只可在本機登陸

原因：

The?root?User can log in remotely. It means that you can connect as?root?from remote hosts if you know the password. An attacker must guess the password, but may attempt to do so by connecting from remote hosts. However, if remote access is disallowed, the attacker can attempt to connect as the?root?user only after first gaining access to localhost.

The default MySQL installation includes a?root account with super (full) privileges that is used to administer the MySQL server. The name?root?is created by default and is very well known. The literal value?root?does not have any significance in the MySQL privilege system. Hence there is no requirement to continue with the user name?root.

建議：

a. rename the?root?mysql user to something obscure and disallow remote access (best for security).

b. if you still want to keep the?root?user for some reason, make sure remote access is disallowed. use the following sql: delete from mysql.user where user = "root" and host not in ('127.0.0.1','localhost',);flush privileges;

具體操作：

delete from mysql.user where user = "root" and host not in ('127.0.0.1','localhost',);

flush privileges;

在做刪除root用戶此步驟前需要依次確認 function、procedure、event、view、trigger的definer，如果有definer為root@%或root@xxx需要將之改為root@127.0.0.1或root@localhost，而且root@localhost或root@127.0.0.1需要被保留，除非將definer也改為其它。要不然在執行相應的定義時會拒絕執行。具體修改見《mysql如何修改所有的definer》

?3.最小化生產庫上的用戶權限

準備用common_user來聯接數據庫，保留root的本地登陸，授權一個具有dba權限的新帳戶：

grant insert,delete,update,select,execute on sp.* to 'common_user'@'127.0.0.1' identified by 'xxxxxx';

grant insert,delete,update,select,execute on sp.* to 'common_user'@'%' identified by 'xxxxxx';

grant all on *.* to ‘dba’@‘%’ identified by ‘xxxxxx’ with grant option;

flush privileges;

生產數據庫上只需要有如上的帳戶即可，其它的帳戶可根據需求再作修改。

至此，生產庫上的帳號管理權限安全配置告一段落。

轉載于:https://www.cnblogs.com/zejin2008/p/4766572.html

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/news/375591.shtml
繁體地址，請注明出處：http://hk.pswp.cn/news/375591.shtml
英文地址，請注明出處：http://en.pswp.cn/news/375591.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！