This article helps database management staff improve the security of databases and guarantee stable, safe, and reliable operation with MySQL database system security hardening configurations.
You can use the Server Guard Enterprise Edition to detect MySQL vulnerabilities in your own servers, or you can check for vulnerabilities by yourself.
Disable running MySQL with the administrator permission.
Run MySQL with a regular account and prohibit running MySQL with administrator permissions.
You can configure this in the /etc/my.cnf configuration file as follows:
Avoid account sharing between different users.
For example, create a user with the following command:
mysql> mysql> insert into
Then, a user with the account name of phplamp is created.
Log on the MySQL service with the user.
@>mysql -u phplamp -p
@>[Enter your password]
mysql>[Log on successfully]
Delete irrelevant accounts.
The DROP USER command deletes one or more MySQL accounts. To use DROP USER, you must have the global CREATE USER or DELETE permission for the MySQL database. The user and host of the account name correspond to the values in the User and Host columns recorded in the user table.
You can use the DROP USER command to delete an account and its permissions.
DROP USER [user];
This statement can delete account permission records from all authorization tables.
Check the account default passwords and avoid weak passwords. The password must be at least eight characters long, and contain at least two of the four types of characters, namely numbers, lowercase letters, uppercase letters and special symbols. Do not repeat your password between the five consecutive passwords. The password must be changed at least every 90 days.
For example, to change the weak password, run the following command:
mysql> update user set password=password('test!p3') where user='root';
mysql> flush privileges;
Grant minimum account permissions according to the needs of the user and the scope of database permissions.
To do this configuration, follow these steps:
Check the database authorization status.
mysql> use mysql;
mysql> select * from user;
mysql>select * from db;
mysql>select * from host;
mysql>select * from tables_priv;
mysql>select * from columns_priv;
Run the Revoke command to revoke unnecessary or dangerous authorization.
mysql> help revoke
[, priv_type [(column_list)]] ...
FROM user [, user] ...
Enable log auditing
Configure the log auditing feature to log operation statuses and actions.
MySQL has the following types of logs:
- Error log: -log-err
- Query log: -log (optional)
- Slow query log: -log-slow-queries (optional)
- Update log: -log-update
Binary log: -log-bin
To enable log auditing, under the MySQL installation directory, open the my.ini file and add the above parameters at the end, save the file, and then restart the MySQL service. For example, enable the error logs as follows:
#Enter a name for the binary log. Otherwise a default name will be used.
#Enter a name for the query log file. Otherwise a default name will be used.
#Enter a name for the error log file. Otherwise a default name will be used.
#Enter a name for the update log file. Otherwise a default name will be used.
To enable other log types, remove the leading “#”.
Additional operation commands
show variables like 'log_%';: View all log commands.
show variables like 'log_bin';: View a specific log command.
Install the latest patches
Make sure that the system has installed the latest security patches.
Note: Test the compatibility of patches and make sure that your service and network are secure, before installing the patches.
Disable remote access if the feature is not required
Disable network connections to prevent password guessing attacks, overflow attacks and sniffing attacks.
Note: This operation only applies when applications and databases are deployed on one host.
If the database does not require remote access, you can disable remote TCP/IP connections. Add the “-skip-networking” startup parameter in MySQL servers to disable MySQL listening for TCP/IP connections and enhance security.
You can use Alibaba Cloud security groups to manage intranet and extranet accesses. We recommend that you do not expose high-risk database services to the Internet.
Manage accesses by setting trusted IP addresses
With the firewall restrictions of the operating system of the database, only allow trusted IP addresses to access the database through the listener.
For example, to do this configuration, run the following command:
mysql> GRANT ALL PRIVILEGES ON db.*
·-> -> TO Username@'IP subnet/mask';
In this situation, only users who belong to the specified IP segments are allowed to log on.
Set the number of connections
Set the maximum and minimum numbers of connections according to your machine performance and business needs.
To do this, edit the MySQL configuration file (my.cnf or my.ini), add
max_connections = 1000in the [mysqld] configuration section, save the file, and then restart the MySQL service.