Anyone using MySQL on a computer connected to the Internet should read this section to avoid the most common security mistakes.任何在连接到Internet的计算机上使用MySQL的人都应该阅读本节,以避免最常见的安全错误。
In discussing security, it is necessary to consider fully protecting the entire server host (not just the MySQL server) against all types of applicable attacks: eavesdropping, altering, playback, and denial of service. 在讨论安全性时,有必要考虑充分保护整个服务器主机(而不仅仅是MySQL服务器)免受所有类型的适用攻击:窃听、更改、播放和拒绝服务。We do not cover all aspects of availability and fault tolerance here.我们在这里没有涵盖可用性和容错的所有方面。
MySQL uses security based on Access Control Lists (ACLs) for all connections, queries, and other operations that users can attempt to perform. There is also support for SSL-encrypted connections between MySQL clients and servers. Many of the concepts discussed here are not specific to MySQL at all; the same general ideas apply to almost all applications.MySQL对用户可以尝试执行的所有连接、查询和其他操作使用基于访问控制列表(ACL)的安全性。MySQL客户端和服务器之间还支持SSL加密连接。这里讨论的许多概念根本不是MySQL特有的;相同的一般思想适用于几乎所有的应用程序。
When running MySQL, follow these guidelines:运行MySQL时,请遵循以下准则:
Do not ever give anyone (except MySQL 永远不要让任何人(root accounts) access to the user table in the mysql system database!mysql根帐户除外)访问MySQL系统数据库中的user表! This is critical.这一点至关重要。
Learn how the MySQL access privilege system works (see Section 6.2, “Access Control and Account Management”). Use the 了解MySQL访问权限系统的工作原理(请参阅第6.2节,“访问控制和帐户管理”)。使用GRANT and REVOKE statements to control access to MySQL. Do not grant more privileges than necessary. Never grant privileges to all hosts.GRANT和REVOKE语句来控制对MySQL的访问。不要授予超过必要权限的权限。从不向所有主机授予特权。
Checklist:清单:
Try 尝试mysql -u root. mysql -u root。If you are able to connect successfully to the server without being asked for a password, anyone can connect to your MySQL server as the MySQL 如果您能够在不需要密码的情况下成功连接到服务器,任何人都可以作为MySQLroot user with full privileges! root用户以完全权限连接到您的MySQL服务器!Review the MySQL installation instructions, paying particular attention to the information about setting a 查看MySQL的安装说明,特别注意有关设置root password. root密码的信息。See Section 2.10.4, “Securing the Initial MySQL Account”.请参阅第2.10.4节,“保护初始MySQL帐户”。
Use the 使用SHOW GRANTS statement to check which accounts have access to what. Then use the REVOKE statement to remove those privileges that are not necessary.SHOW GRANTS语句检查哪些帐户可以访问什么。然后使用REVOKE语句删除那些不必要的特权。
Do not store cleartext passwords in your database. 不要在数据库中存储明文密码。If your computer becomes compromised, the intruder can take the full list of passwords and use them. 如果你的电脑遭到破坏,入侵者可以获取完整的密码列表并使用它们。Instead, use 相反,使用SHA2() or some other one-way hashing function and store the hash value.SHA2()或其他单向哈希函数并存储哈希值。
To prevent password recovery using rainbow tables, do not use these functions on a plain password; instead, choose some string to be used as a salt, and use hash(hash(password)+salt) values.为了防止使用彩虹表恢复密码,请不要在普通密码上使用这些功能;相反,选择一些字符串用作salt,并使用hash(hash(password)+salt)值。
Do not choose passwords from dictionaries. 不要从字典中选择密码。Special programs exist to break passwords. 存在用于破解密码的特殊程序。Even passwords like “xfish98” are very bad. Much better is “duag98” which contains the same word “fish” but typed one key to the left on a standard QWERTY keyboard. 即使是像“xfish98”这样的密码也非常糟糕。更好的是“duag98”,它包含相同的单词“鱼”,但在标准QWERTY键盘上向左键入一个键。Another method is to use a password that is taken from the first characters of each word in a sentence (for example, “Four score and seven years ago” results in a password of “Fsasya”). 另一种方法是使用从句子中每个单词的第一个字符中提取的密码(例如,“四分七年前”导致密码为“Fsasya”)。The password is easy to remember and type, but difficult to guess for someone who does not know the sentence. 密码很容易记住和键入,但对于不知道句子的人来说很难猜测。In this case, you can additionally substitute digits for the number words to obtain the phrase “4 score and 7 years ago”, yielding the password “4sa7ya” which is even more difficult to guess.在这种情况下,您可以用数字代替数字单词,以获得短语“4分7年前”,从而产生更难猜测的密码“4sa7ya”。
Invest in a firewall. This protects you from at least 50% of all types of exploits in any software. Put MySQL behind the firewall or in a demilitarized zone (DMZ).投资防火墙。这可以保护您免受任何软件中至少50%的所有类型的漏洞攻击。将MySQL放在防火墙后面或非军事区(DMZ)中。
Checklist:清单:
Try to scan your ports from the Internet using a tool such as 尝试使用nmap. MySQL uses port 3306 by default. This port should not be accessible from untrusted hosts. nmap等工具从Internet扫描端口。MySQL默认使用端口3306。不应从不受信任的主机访问此端口。As a simple way to check whether your MySQL port is open, try the following command from some remote machine, where 作为检查MySQL端口是否打开的一种简单方法,请在某台远程计算机上尝试以下命令,其中server_host is the host name or IP address of the host on which your MySQL server runs:server_host是运行MySQL服务器的主机的主机名或IP地址:
shell> telnet server_host 3306
If telnet hangs or the connection is refused, the port is blocked, which is how you want it to be. 如果telnet挂起或连接被拒绝,端口将被阻止,这就是您希望的情况。If you get a connection and some garbage characters, the port is open, and should be closed on your firewall or router, unless you really have a good reason to keep it open.如果你得到了一个连接和一些垃圾字符,那么端口是打开的,应该在防火墙或路由器上关闭,除非你真的有充分的理由保持它打开。
Applications that access MySQL should not trust any data entered by users, and should be written using proper defensive programming techniques. 访问MySQL的应用程序不应该信任用户输入的任何数据,并且应该使用适当的防御编程技术来编写。See Section 6.1.7, “Client Programming Security Guidelines”.请参阅第6.1.7节,“客户端编程安全指南”。
Do not transmit plain (unencrypted) data over the Internet. This information is accessible to everyone who has the time and ability to intercept it and use it for their own purposes. 不要在互联网上传输纯(未加密)数据。每个有时间和能力拦截这些信息并将其用于自己的目的的人都可以访问这些信息。Instead, use an encrypted protocol such as SSL or SSH. MySQL supports internal SSL connections. Another technique is to use SSH port-forwarding to create an encrypted (and compressed) tunnel for the communication.相反,请使用加密协议,如SSL或SSH。MySQL支持内部SSL连接。另一种技术是使用SSH端口转发来创建用于通信的加密(和压缩)隧道。
Learn to use the tcpdump and strings utilities. 学习使用tcpdump和string实用程序。In most cases, you can check whether MySQL data streams are unencrypted by issuing a command like the following:在大多数情况下,您可以通过发出如下命令来检查MySQL数据流是否未加密:
shell> tcpdump -l -i eth0 -w - src or dst port 3306 | strings
This works under Linux and should work with small modifications under other systems.这在Linux下可以工作,在其他系统下应该可以进行小的修改。
If you do not see cleartext data, this does not always mean that the information actually is encrypted. If you need high security, consult with a security expert.如果您没有看到明文数据,这并不总是意味着信息实际上是加密的。如果您需要高度安全性,请咨询安全专家。