mysql 数据库 安全

我们开始之前的一些基本信息： (Some basic information before we get started:)

Source: Center for Internet Security’s (CIS) Oracle MySQL Community Server 5.7

来源： 互联网安全中心(CIS)Oracle MySQL Community Server 5.7

Operating system: Windows 10

作业系统： Windows 10

Where to execute: command line

执行位置：命令行

mysql -u USERNAME -p

Target application: Oracle MySQL Community Server 5.7

目标应用程序： Oracle MySQL Community Server 5.7

信息系统的审核和记录 (Auditing and logging for information systems)

Logs play a crucial role for security when there is a suspected cyberattack. A manual review of logs is painstaking for security personnel, and they must use log review tools to extract information and analyze it. Logs should use a WORM (write once read many) storage technology and encryption to avoid corruption and losing log data. Also, logs should have a standardized format for ease of maintenance, access and comparison.

当怀疑有网络攻击时，日志对于安全起着至关重要的作用。 手动查看日志对于安全人员来说是艰辛的，他们必须使用日志查看工具来提取信息并进行分析。 日志应使用WORM(一次写入多次读取)存储技术和加密功能，以避免损坏和丢失日志数据。 此外，日志应具有标准化的格式，以便于维护，访问和比较。

确保“ log_error”不为空 (Ensure “log_error” is not empty)

command:

命令：

SHOW variables LIKE ‘log_error’;

Error logs contains data on events when mysqld starts or stops. It also shows when a table needs to be assessed or repaired. It must generate a “value”. The reason for enabling error logging is it helps increase the ability to detect malicious attempts against MySQL and other vital messages.

错误日志包含有关mysqld启动或停止时事件的数据。 它还显示何时需要评估或修复表。 它必须产生一个“值”。 启用错误日志记录的原因是它有助于提高检测针对MySQL和其他重要消息的恶意尝试的能力。

确保日志文件存储在非系统分区上 (Ensure log files are stored on a non-system partition)

command:

命令：

SELECT @@global.log_bin_basename;

Log files of MySQL can be stored anywhere in the filesystem and set using the MySQL configuration. Also, it is a best practice is to ensure that the logs in the filesystem are not cluttered with other logs such as application logs. You must ensure that the value returned does not indicate that it is in the root “(‘/’)”, “/var”, or “/usr”. The reason for this is that partitioning will decrease the likelihood of denial of service if the available disk space to the operating system is depleted.

MySQL的日志文件可以存储在文件系统中的任何位置，并可以使用MySQL配置进行设置。 另外，最佳做法是确保文件系统中的日志不会与其他日志(例如应用程序日志)杂乱无章。 您必须确保返回的值不表示它位于根目录“('/')”，“ / var”或“ / usr”中。 这样做的原因是，如果操作系统的可用磁盘空间已用完，分区将减少拒绝服务的可能性。

确保“ log_error_verbosity”未设置为“ 1” (Ensure “log_error_verbosity” is not set to “1”)

command:

命令：

SHOW GLOBAL VARIABLES LIKE ‘log_error_verbosity’;

This check provides additional information to what functionalities the MySQL log has or has enabled on error messages. A value of 1 enables the logging of error messages. A value of 2 enables both the logging of error and warning messages. A value of 3 enables logging of error, warning, and note messages. This helps detect malicious behavior by logging communication errors and aborted connections.

此项检查提供了有关MySQL日志对错误消息具有或已启用的功能的更多信息。 值1启用错误消息的记录。 值2启用错误和警告消息的记录。 值3允许记录错误，警告和注释消息。 这有助于通过记录通信错误和中止连接来检测恶意行为。

确保启用审核日志记录 (Ensure audit logging is enabled)

Enabling audit logging is crucial for production environment for interactive user sessions and application sessions. With audit logging, it helps identify who changed what and when. It can also help to identify what an attacker has done and can even be used as evidence in investigations.

启用审核日志记录对于交互式用户会话和应用程序会话的生产环境至关重要。 使用审核日志记录，它可以帮助确定谁更改了内容和时间。 它还可以帮助识别攻击者的所作所为，甚至可以用作调查中的证据。

command:

命令：

SELECT NAME FROM performance_schema.setup_instruments WHERE NAME LIKE ‘%/alog/%’;

command:

命令：

SET GLOBAL general_log = ‘ON’ ;

command: CREATE USER ‘user1’@’localhost’ IDENTIFIED BY PASSWORD ‘not-so-secret’;

命令： CREATE USER'user1'@'localhost'由密码'not-so-secret'标识；

The log’s path in Windows 10 can be found by using Services application, looking to see if MySQL is running, and right-click properties.

可以使用服务应用程序找到Windows 10中的日志路径，以查看MySQL是否正在运行，然后右键单击属性。

The log in the author’s system was located in: C:\ProgramData\MySQL\MySQL Server 5.7\Data\DJ-JASON-CLARK.log

作者系统中的日志位于：C：\ ProgramData \ MySQL \ MySQL Server 5.7 \ Data \ DJ-JASON-CLARK.log

信息系统认证 (Authentication for information system)

Authentication makes sure the credentials provided by the user or machine are matched with the database of authorized users in a local operating system or in an authentication server. Authentication is then followed by authorization, which is granted by an administrator to users or machines. An authentication that is commonly used in both private and public networks is password-based authentication.

身份验证可确保用户或计算机提供的凭据与本地操作系统或身份验证服务器中的授权用户数据库匹配。 身份验证之后是授权，授权由管理员授予用户或计算机。 专用网络和公用网络中都普遍使用的身份验证是基于密码的身份验证。

确保密码未存储在全局配置中 (Ensure passwords are not stored in the global configuration)

The [client] section of a MySQL configuration file allows the creation of a user and password to be set. The check is important because allowing a user and password in the configuration file impacts the confidentiality of the user’s password negatively.

MySQL配置文件的[client]部分允许设置用户和密码的创建。 该检查很重要，因为在配置文件中允许用户和密码会负面影响用户密码的机密性。

To audit, open MySQL configuration file and examine the [client] section — it must not have any password stored. No password was set in the author’s system (see figure below). If a password was set in the configuration file, use mysql_config_editor to store passwords in the encrypted form in .mylogin.cnf.

要进行审计，请打开MySQL配置文件并检查[client]部分-不得存储任何密码。 在作者的系统中未设置密码(请参见下图)。 如果在配置文件中设置了密码，请使用mysql_config_editor将密码以加密形式存储在.mylogin.cnf中。

确保“ sql_mode”包含“ NO_AUTO_CREATE_USER” (Ensure ‘sql_mode’ contains ‘NO_AUTO_CREATE_USER’)

The “no_auto_create_user” is an option to prevent the auto creation of user when authentication information is not provided.

“ no_auto_create_user”是用于在未提供身份验证信息时阻止自动创建用户的选项。

command:

命令：

SELECT @@global.sql_mode;

command:

命令：

SELECT @@session.sql_mode;

确保为所有MySQL帐户设置了密码 (Ensure passwords are set for all MySQL accounts)

A user can create a blank password. Having a blank password is risky as anyone can just assume the user’s identity, enter the user’s loginID and connect to the server. This bypasses authentication, which is bad.

用户可以创建一个空白密码。 拥有空白密码是有风险的，因为任何人都只能假设用户的身份，输入用户的loginID并连接到服务器。 这样会绕过身份验证，这很不好。

command:

命令：

SELECT User,host FROM mysql.user WHERE authentication_string=’’;

确保“ default_password_lifetime”小于或等于“ 90” (Ensure ‘default_password_lifetime’ is less than or equal to ‘90’)

Changing the password lifetime to 90 days decreases the time available for the attacker to compromise the password, and thus decreases the likelihood of getting attacked.

将密码有效期更改为90天可以减少攻击者破解密码的时间，从而减少遭受攻击的可能性。

command:

命令：

SHOW VARIABLES LIKE ‘default_password_lifetime’;

command:

命令：

SET GLOBAL default_password_lifetime=90;

确保密码复杂度到位 (Ensure password complexity is in place)

Password complexity adds security strength to authentications and includes adding or increasing length, case, numbers and special characters. The more complex the password, the harder for attackers to use brute force to obtain the password. Weak passwords are easily obtained in a password dictionary.

密码复杂性增加了身份验证的安全性，包括增加或增加长度，大小写，数字和特殊字符。 密码越复杂，攻击者就越难使用蛮力来获取密码。 在密码字典中很容易获得弱密码。

command:

命令：

SHOW VARIABLES LIKE ‘validate_password%’;

确保没有用户使用通配符主机名 (Ensure no users have wildcard hostnames)

Users with wildcard hostnames (%) are granted permission to any location. It is best to avoid creating wildcard hostnames. Instead, create users and give them specific locations from which a given user may connect to and interact with the database.

具有通配符主机名(％)的用户被授予对任何位置的权限。 最好避免创建通配符主机名。 而是，创建用户并为他们提供特定位置，给定用户可以从该位置连接到数据库并与数据库进行交互。

command:

命令：

SELECT user, host FROM mysql.user WHERE host = ‘%’;

确保不存在匿名帐户 (Ensure no anonymous accounts exist)

Users can have an anonymous (empty or blank) username. These anonymous usernames have no passwords and any other user can use that anonymous username to connect to the MySQL server. Removal of these anonymous accounts ensures only identified and trusted users can access the MySQL server.

用户可以具有匿名(空或空白)用户名。 这些匿名用户名没有密码，任何其他用户都可以使用该匿名用户名连接到MySQL服务器。 删除这些匿名帐户可确保只有已识别且受信任的用户才能访问MySQL服务器。

command:

命令：

SELECT user,host FROM mysql.user WHERE user = ‘’;

与MySQL服务器的网络连接 (Network connection to MySQL server)

The network connection plays an important role for communication between the user and the MySQL server. Insecure network connections are very vulnerable to attacks. The following are checks for network connection security.

网络连接对于用户与MySQL服务器之间的通信起着重要作用。 不安全的网络连接非常容易受到攻击。 以下是检查网络连接安全性的方法。

确保将“ have_ssl”设置为“ YES” (Ensure ‘have_ssl’ is set to ‘YES’)

To avoid malicious attackers peeking inside your system, it is best to use SLL/TLS for all network traffic when using untrusted networks.

为避免恶意攻击者偷窥系统内部，使用不受信任的网络时，最好对所有网络流量使用SLL / TLS。

command:

命令：

WHERE variable_name = ‘have_ssl’;

确保所有远程用户的“ ssl_type”设置为“ ANY”，“ X509”或“ SPECIFIED” (Ensure ‘ssl_type’ is set to ‘ANY’, ‘X509’, or ‘SPECIFIED’ for all remote users)

SSL/TLS should be configured per user. This further prevents eavesdropping of malicious attackers.

应该为每个用户配置SSL / TLS。 这进一步防止了对恶意攻击者的窃听。

command:

命令：

SELECT user, host, ssl_type FROM mysql.user WHERE NOT HOST IN (‘::1’, ‘127.0.0.1’, ‘localhost’);

复写 (Replication)

Checking for replication status lets you monitor performance and security vulnerabilities. Microsoft SQL Server Management Studio has the following tools to monitor replication:

通过检查复制状态，可以监视性能和安全漏洞。 Microsoft SQL Server Management Studio具有以下工具来监视复制：

1. view snapshot agent status,查看快照代理状态，
2. view log reader agent status, and查看日志阅读器代理状态，以及
3. view synchronization status.查看同步状态。

确保复制流量安全 (Ensure replication traffic is secured)

Replication traffic between servers must be secured. During replication transfers, passwords could leak.

复写 服务器之间的流量必须得到保护。 在复制传输期间，密码可能会泄漏。

To audit, check if they’re using: a private network, a VPN, SSL/TLS or a SSH Tunnel. Hopefully the author’s system is using a private network. Correct if otherwise, and secure by using the private network, a VPN, SSL/TLS or a SSH Tunnel.

要审核，请检查它们是否在使用：专用网络，VPN，SSL / TLS或SSH隧道。 希望作者的系统正在使用专用网络。 否则请更正，并通过使用专用网络，VPN，SSL / TLS或SSH隧道来确保安全。

确保将'MASTER_SSL_VERIFY_SERVER_CERT'设置为'YES'或'1' (Ensure ‘MASTER_SSL_VERIFY_SERVER_CERT’ Is Set to ‘YES’ or ‘1’)

‘MASTER_SSL_VERIFY_SERVER_CERT’ checks whether the replica should verify the primary's certificate or not. The replica should verify the primary's certificate to authenticate the primary before continuing the connection.

'MASTER_SSL_VERIFY_SERVER_CERT'检查副本是否应验证主服务器的证书。 在继续连接之前，副本服务器应验证主服务器的证书以对主服务器进行身份验证。

command:

命令：

SELECT ssl_verify_server_cert FROM mysql.slave_master_info;

确保将“ master_info_repository”设置为“ TABLE” (Ensure ‘master_info_repository’ is set to ‘TABLE’)

The ‘master_info_repository’ determines where the replica logs the primary's status and connection information. The password is stored in the primary info repository that is a plain text file. Storing the password in the TABLE master_info is a safer.

“ master_info_repository”确定副本在哪里记录主数据库的状态和连接信息。 密码存储在主要信息存储库中，该存储库是纯文本文件。 将密码存储在表master_info中较为安全。

command:

命令：

SHOW GLOBAL VARIABLES LIKE ‘master_info_repository’;

确保复制用户的“ super_priv”未设置为“ Y” (Ensure ‘super_priv’ is not set to ‘Y’ for replication users)

The “SUPER” privilege (‘super_priv’) located in the “mysql.user” table has functions like “CHANGE”, “MASTER TO”, “KILL”, “mysqladmin kill”, “PURGE BINARY LOGS”, “SET GLOBAL”, “mysqladmin debug”, and other logging controls. Giving a user the “SUPER” privilege allows the user to view and terminate currently executing SQL statements, even for password management. If the attacker exploits and gains the “SUPER” privilege, they can disable, alter, or destroy logging data.

的 位于“ mysql.user”表中的“ SUPER”特权(“ super_priv”)具有“ CHANGE”，“ MASTER TO”，“ KILL”，“ mysqladmin kill”，“ PURGE BINARY LOGS”，“ SET GLOBAL”， “ mysqladmin调试”和其他日志记录控件。 授予用户“ SUPER”特权，使用户可以查看和终止当前正在执行SQL语句，甚至用于密码管理。 如果攻击者利用并获得“超级”特权，则他们可以禁用，更改或破坏日志记录数据。

command:

命令：

SELECT user, host FROM mysql.user WHERE user=’repl’ and Super_priv = ‘Y’;

确保没有复制用户具有通配符主机名 (Ensure no replication users have wildcard hostnames)

MySQL allows you to grant permissions to wildcard hostnames. Wildcard hostnames should be avoided, and you should create or modify users and give them specific locations from which a given user may connect to and interact with the database.

MySQL允许您授予通配符主机名的权限。 应该避免使用通配符主机名，您应该创建或修改用户，并为他们提供特定位置，给定用户可以从该位置连接到数据库并与数据库进行交互。

结论 (Conclusion)

The following checks are made for a single work environment using MySQL as the information system on both the application-side and the user-side.

在使用MySQL作为应用程序端和用户端的信息系统的单个工作环境中，进行了以下检查。

The assessment is imperative to check for standard logging of MySQL and enabling additional logging functions (it also enables checking for authentication vulnerabilities). Network checks are important to prevent other users with malicious intent from peeking into your network. Always implement SSL/TLS to encrypt. Securing one-way transfer is necessary. Securing replication traffic adds a defensive layer.

必须进行评估，以检查MySQL的标准日志记录并启用其他日志记录功能(还可以检查身份验证漏洞)。 网络检查对于防止其他有恶意的用户窥探您的网络非常重要。 始终实施SSL / TLS进行加密。 确保单向传输是必要的。 保护复制流量会增加防御层。

The result of the assessment can inform you if the system is able to operate at a level of trust.

评估结果可以通知您系统是否能够在信任级别上运行。

Thank you for reading my blog! You have now started the path to securing your MySQL database.=)

感谢您阅读我的博客！ 现在，您已经开始保护MySQL数据库的路径。

翻译自: https://www.freecodecamp.org/news/cjn-is-your-mysql-secured-7793e5444cf5/

mysql 数据库 安全