Ubuntu 環境下 MySQL 安裝與安全優化。 安裝php
sudo apt-get updatesudo apt-get install mysql-server mysql-client # 設置root密碼 # 設置數據庫目錄 sudo mysql_install_db # 移除匿名賬戶,禁用root遠程登陸 sudo mysql_secure_installation # 回答n,y,y,y,y
設置默認字符集
中文環境下,設置 utf8 爲默認字符集,防止出現亂碼。html
$ sudo vi /etc/mysql/my.cnf [mysqld] collation-server = utf8_unicode_ci init-connect = 'SET NAMES utf8' character-set-server = utf8 :wq保存配置,重啓MySQL $ sudo service mysql restart # 查看字符集設置 $ mysql -u root -p show variables like 'char%'; show variables like 'collation%';
增強 MySQL 安全node
遷移數據庫目錄 MySQL 數據庫默認路徑 /var/lib/mysql,實際工做中,經常須要定製數據庫路徑,好比 /data/mysql,或者 /opt/mysql,能夠是單獨的數據盤或者分區,這樣有利於性能調優和保護數據安全,同時也方便進行維護。
使用 mysql_install_db
從新初始化 datadir :mysql
mkdir -p /data/mysql chown -R mysql:mysql /data/mysql mysql_install_db --user=mysql --basedir=/usr --datadir=/data/mysql rm -rf /var/lib/mysql
禁用遠程訪問等sql
$ sudo vi /etc/mysql/my.cnf [mysqld] datadir = /var/lib/mysql #數據庫文件目錄 bind-address = 127.0.0.1 #只容許本機訪問,或 skip-networking #禁用網絡(但本機能夠訪問) skip-show-database #禁用SHOW DATABASES # 可增長: local-infile=0 #禁止加載本地文件,防止相似:SELECT load_file("/etc/passwd"); $ mysql -u root -p use mysql UPDATE user SET Host='localhost' WHERE Host="%";
用戶名優化數據庫
DROP USER ""; # 或 DELETE FROM user WHERE User=""; RENAME USER root TO new_user; # 或 update user set user="new_user" where user="root"; # 或 rename user 'root'@'localhost' to 'newAdminUser'@'localhost';
密碼優化安全
UPDATE user SET Password=PASSWORD('newPassWord') WHERE User="user"; # or SET PASSWORD FOR 'username'@'%hostname' = PASSWORD('newpass'); select user,host,password from user; FLUSH PRIVILEGES; # 或 $ mysqladmin -u username -p password newpass
清空命令歷史 客戶端工具 mysql 會將執行的命令記錄在當前用戶目錄下的 .mysql_history 文件中,其中可能包含密碼等敏感信息。網絡
cat /dev/null > ~/.mysql_history
使用日誌 MySQL 日誌包括錯誤日誌、慢查詢日誌、通常日誌和二進制日誌,默認生成錯誤日誌。在產品環境下,要合理使用日誌,避免給系統增長沒必要要的壓力。
配置文件app
$ sudo vi /etc/mysql/my.cnf log_error = /var/log/mysql/error.log #general_log_file = /var/log/mysql/mysql.log #log_slow_queries = /var/log/mysql/mysql-slow.log #log_bin = /var/log/mysql/mysql-bin.log #general_log = 1 #long_query_time = 2 #log-queries-not-using-indexes /etc/mysql/conf.d/mysqld_safe_syslog.cnf /etc/logrotate.d/mysql-server
查看配置less
sudo service mysql restart mysql> SHOW VARIABLES LIKE '%log%';
在代碼中控制
SET GLOBAL general_log = 'ON'; SET GLOBAL general_log = 'OFF'; SET GLOBAL slow_query_log = 'ON'; SET GLOBAL slow_query_log = 'OFF';
日誌文件位置
/var/lib/mysql/{host_name}.log /var/lib/mysql/{host_name}.err /var/lib/mysql/{host_name}-slow.log /var/log/mysql.err - MySQL Error log file /var/log/mysql.log - MySQL log file sudo ls -l /var/log/mysql*
日誌監控查看
grep 'something' /var/log/mysql.err tail -f /var/log/mysql/mysql.log tail -f /var/log/mysql.err tail -f /var/log/syslog less /var/log/mysql.err
參考:http://www.pontikis.net/blog/how-and-when-to-enable-mysql-logs
使用SSL鏈接
查看SSL信息
mysql> SHOW VARIABLES LIKE '%ssl%'; mysql> \s $ cat /etc/apparmor.d/usr.sbin.mysqld ... /etc/mysql/*.pem r,
製做SSL證書
sudo su - cd /etc/mysql openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 3600 \ -key ca-key.pem -out ca-cert.pem openssl req -newkey rsa:2048 -days 3600 \ -nodes -keyout server-key.pem -out server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -in server-req.pem -days 3600 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem openssl req -newkey rsa:2048 -days 3600 \ -nodes -keyout client-key.pem -out client-req.pem openssl rsa -in client-key.pem -out client-key.pem openssl x509 -req -in client-req.pem -days 3600 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
配置服務端
$ sudo vi /etc/mysql/my.cnf [mysqld] ssl-ca=/etc/mysql/ca-cert.pem ssl-cert=/etc/mysql/server-cert.pem ssl-key=/etc/mysql/server-key.pem # 重啓 MySQL $ sudo service mysql restart # 建立使用SSL賬號 GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'pass' REQUIRE SSL;
配置客戶端
$ sudo vi /etc/mysql/my.cnf [client] ssl-ca=/etc/mysql/ca-cert.pem ssl-cert=/etc/mysql/client-cert.pem ssl-key=/etc/mysql/client-key.pem mysql -u ssluser -p -sss -e '\s' | grep SSL
參考:http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html 使用SSH遠程訪問 MySQL Workbench 是 MySQL 官方提供的數據庫管理工具,免費跨平臺,支持數據庫建模,支持 MySQL 和 MariaDB,支持經過 SSH 訪問遠程 MySQL,即便將 MySQL 徹底配置爲本地訪問也沒有問題。固然,能夠繼續使用 phpMyAdmin 管理數據庫。