MariaDB Security

時間 2019-11-12

標籤 mariadb security 简体版

原文原文鏈接

MariaDB Security

mysql_secure_installation腳本node

文件系統權限mysql

tree -puga /opt/mariadb/data/linux

chown -R mysql: /opt/mariadbsql

chmod -R 700 /opt/mariadb數據庫

檢查不安全的密碼centos

SELECT @@old_passwords; 安全

(jlive)[isfdb]>SELECT @@old_passwords;服務器

+-----------------+session

| @@old_passwords |測試

+-----------------+

| 0 |

+-----------------+

1 row in set (0.00 sec)

SELECT Host,User,Password FROM mysql.user;

(jlive)[isfdb]>SELECT Host,User,Password FROM mysql.user;

+-----------+--------+-------------------------------------------+

| Host | User | Password |

+-----------+--------+-------------------------------------------+

| localhost | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |

| localhost | zabbix | *DEEF4D7D88CD046ECA02A80393B7780A63E7E789 |

| 127.0.0.1 | root | |

| ::1 | root | |

| % | jlive | *C15A2384C61922FBA3DA581D4AD9FF66EA0BEEB3 |

| localhost | foo | |

| localhost | sphinx | *8C702E15DB075B6094596B9AEED93BCC0230A98B |

+-----------+--------+-------------------------------------------+

7 rows in set (0.15 sec)

注意：檢查密碼爲空或少於16位的用戶

SSL加密

說明:能夠用權威CA簽發的SSL證書，這裏建立自簽名證書

1.建立CA

a.生成CA私鑰(key)

root@jlive:ssl_tmp#openssl genrsa -out mariadb-ca.key 4096

Generating RSA private key, 4096 bit long modulus

.......................................................++

..............................................................................................................................................................................................................................................................................................................................................++

e is 65537 (0x10001)

b.經過CA私鑰簽發自簽名CA公鑰(pem)

root@jlive:ssl_tmp#openssl req -x509 -new -nodes -days 9999 -key mariadb-ca.key -out mariadb-ca.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Shanghai

Locality Name (eg, city) [Default City]:Shanghai

Organization Name (eg, company) [Default Company Ltd]:ca.cert.com, Ltd.

Organizational Unit Name (eg, section) []:CA

Common Name (eg, your name or your server's hostname) []:ca.example.com

Email Address []:ca@example.com

作實驗能夠隨便填

2.建立服務器證書

a.生成服務器私鑰(key)

root@jlive:ssl_tmp#openssl genrsa -out mariadb-server.key 4096

Generating RSA private key, 4096 bit long modulus

..........................++

...++

e is 65537 (0x10001)

b.經過服務器私鑰生成證書請求文件(csr)

root@jlive:ssl_tmp#openssl req -new -key mariadb-server.key -out mariadb-server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Shanghai

Locality Name (eg, city) [Default City]:Shanghai

Organization Name (eg, company) [Default Company Ltd]:Tencent.com, Ltd.

Organizational Unit Name (eg, section) []:Development

Common Name (eg, your name or your server's hostname) []:jlive.example.com

Email Address []:jlive@localhost

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

提示:密碼可選

c.CA簽發服務器公鑰(pem)

root@jlive:ssl_tmp#openssl x509 -req -set_serial 01 -days 9999 -CA mariadb-ca.pem -CAkey mariadb-ca.key -in mariadb-server.csr -out mariadb-server.pem

Signature ok

subject=/C=CN/ST=Shanghai/L=Shanghai/O=Tencent.com, Ltd./OU=Development/CN=jlive.example.com/emailAddress=jlive@localhost

Getting CA Private Key

提示：有些ssl加密通訊須要指定服務器證書的Common Name,如：grafana

server_cert_name = jlive.example.com

3.建立客戶端證書

a.生成客戶端私鑰(key)

root@jlive:ssl_tmp#openssl genrsa -out mariadb-client.key 4096

Generating RSA private key, 4096 bit long modulus

.....................................................................................................++

e is 65537 (0x10001)

b.經過客戶端私鑰生成證書請求文件(csr)

root@jlive:ssl_tmp#openssl req -new -key mariadb-client.key -out mariadb-client.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Shanghai

Locality Name (eg, city) [Default City]:Shanghai

Organization Name (eg, company) [Default Company Ltd]:client.example.com, Ltd.

Organizational Unit Name (eg, section) []:Development

Common Name (eg, your name or your server's hostname) []:client.example.com

Email Address []:client@example.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

c.CA簽發客戶端證書(pem)

root@jlive:ssl_tmp#openssl x509 -req -set_serial 02 -days 9999 -CA mariadb-ca.pem -CAkey mariadb-ca.key -in mariadb-client.csr -out mariadb-client.pem

Signature ok

subject=/C=CN/ST=Shanghai/L=Shanghai/O=client.example.com, Ltd./OU=Development/CN=client.example.com/emailAddress=client@example.com

Getting CA Private Key

4.配置SSL認證

說明:將公私鑰放到指定目錄，這裏放在/opt/mariadb目錄下

[mysqld]

ssl-ca=/opt/mariadb/mariadb-ca.pem

ssl-key=/opt/mariadb/mariadb-server.key

ssl-cert=/opt/mariadb/mariadb-server.pem

[mysql]

ssl-ca=/opt/mariadb/mariadb-ca.pem

ssl-key=/opt/mariadb/mariadb-client.key

ssl-cert=/opt/mariadb/mariadb-client.pem

改完配置後重啓纔會生效

root@jlive:~#/etc/init.d/mysql restart

Restarting mysql (via systemctl): [ 肯定 ]

5.測試

https://mariadb.com/kb/en/ssl-server-system-variables/

查看狀態

STATUS;

SHOW VARIABLES LIKE 'have_ssl';

SHOW STATUS LIKE 'Ssl%';

root@jlive:~#mysql -uroot -p

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 23

Server version: 10.1.13-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW VARIABLES LIKE 'have_ssl';

+---------------+-------+

| Variable_name | Value |

+---------------+-------+

| have_ssl | YES |

+---------------+-------+

1 row in set (0.00 sec)

MariaDB [(none)]> SHOW STATUS LIKE 'Ssl%';

+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Variable_name | Value |

| Ssl_accept_renegotiates | 0 |

| Ssl_accepts | 0 |

| Ssl_callback_cache_hits | 0 |

| Ssl_cipher | DHE-RSA-AES256-SHA |

| Ssl_cipher_list | DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:AES256-RMD:AES128-RMD:DES-CBC3-RMD:DHE-RSA-AES256-RMD:DHE-RSA-AES128-RMD:DHE-RSA-DES-CBC3-RMD:RC4-SHA:RC4-MD5:DES-CBC3-SHA:DES-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA |

| Ssl_client_connects | 0

... ...

25 rows in set (0.01 sec)

建立用戶，強制SSL認證

GRANT ALL on test.* TO 'ssluser'@'localhost'

IDENTIFIED BY 'ssluserpassword'

REQUIRE SSL;

或者嚴格限制簽發客戶端ISSUER

GRANT ALL on test.* TO 'ssluser'@'localhost'

IDENTIFIED BY 'ssluserpassword'

REQUIRE ISSUER '/C=CN/ST=Shanghai/L=Shanghai/O=client.example.com, Ltd./OU=Development/CN=client.example.com/emailAddress=client@example.com'

AND CIPHER 'ECDHE-RSA-AES256-GCM-SHA384';

root@jlive:~#mysql -u ssluser -p test

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 40

Server version: 10.1.13-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [test]> SHOW STATUS LIKE 'Ssl_session%';

+-----------------------------+---------+

| Variable_name | Value |

+-----------------------------+---------+

| Ssl_session_cache_hits | 0 |

| Ssl_session_cache_misses | 0 |

| Ssl_session_cache_mode | Unknown |

| Ssl_session_cache_overflows | 0 |

| Ssl_session_cache_size | 0 |

| Ssl_session_cache_timeouts | 0 |

| Ssl_sessions_reused | 0 |

+-----------------------------+---------+

7 rows in set (0.00 sec)

MariaDB [test]> QUIT

Bye

root@jlive:~#mysql -u ssluser -p --skip-ssl test

Enter password:

ERROR 1045 (28000): Access denied for user 'ssluser'@'localhost' (using password: YES)

鏈接時還能夠經過參數來指定客戶端證書路徑

mysql -u ssluser –ssl-ca=/opt/mariadb/mariadb-ca.pem \

--ssl-key=/opt/mariadb/mariadb-client.key \

--ssl-cert=/opt/mariadb/mariadb-client.pem test

角色控制

https://mariadb.com/kb/en/roles/

1.建立角色並受權

CREATE DATABASE IF NOT EXISTS test;

CREATE ROLE read_only;

GRANT SELECT ON test.* TO read_only;

GRANT USAGE ON test.* TO read_only;

SHOW GRANTS FOR read_only;

MariaDB [(none)]> SHOW GRANTS FOR read_only;

+-----------------------------------------+

| Grants for read_only |

+-----------------------------------------+

| GRANT USAGE ON *.* TO 'read_only' |

| GRANT SELECT ON `test`.* TO 'read_only' |

+-----------------------------------------+

2 rows in set (0.00 sec)

2.將角色賦予某個用戶

CREATE USER test_user@'localhost' IDENTIFIED BY 'testpassword';

SHOW GRANTS FOR test_user@'localhost';

GRANT read_only TO test_user@'localhost';

SHOW GRANTS FOR test_user@'localhost';

MariaDB [(none)]> SHOW GRANTS FOR test_user@'localhost';

+------------------------------------------------------------------------------------------------------------------+

| Grants for test_user@localhost |

+------------------------------------------------------------------------------------------------------------------+

| GRANT read_only TO 'test_user'@'localhost' |

| GRANT USAGE ON *.* TO 'test_user'@'localhost' IDENTIFIED BY PASSWORD '*9F69E47E519D9CA02116BF5796684F7D0D45F8FA' |

+------------------------------------------------------------------------------------------------------------------+

2 rows in set (0.00 sec)

3.測試

root@jlive:~#mysql -u test_user -p

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 67

Server version: 10.1.13-MariaDB MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> USE test;

ERROR 1044 (42000): Access denied for user 'test_user'@'localhost' to database 'test'

MariaDB [(none)]> SET ROLE read_only;

Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> USE test;

Database changed

MariaDB [test]> SELECT current_role();

+----------------+

| current_role() |

+----------------+

| read_only |

+----------------+

1 row in set (0.00 sec)

MariaDB [test]> SELECT current_user();

+---------------------+

| current_user() |

+---------------------+

| test_user@localhost |

+---------------------+

1 row in set (0.00 sec)

MariaDB [test]> SHOW GRANTS;

+------------------------------------------------------------------------------------------------------------------+

| Grants for test_user@localhost |

+------------------------------------------------------------------------------------------------------------------+

| GRANT read_only TO 'test_user'@'localhost' |

| GRANT USAGE ON *.* TO 'test_user'@'localhost' IDENTIFIED BY PASSWORD '*9F69E47E519D9CA02116BF5796684F7D0D45F8FA' |

| GRANT USAGE ON *.* TO 'read_only' |

| GRANT SELECT ON `test`.* TO 'read_only' |

+------------------------------------------------------------------------------------------------------------------+

4 rows in set (0.00 sec)

PAM認證

https://mariadb.com/kb/en/pam-authentication-plugin/

以CentOS 7.1 x64爲例

1.建立本地用戶

useradd -s /sbin/nologin pamuser

echo pamuser:pampassword|chpasswd

2.安裝pam認證插件

INSTALL SONAME 'auth_pam';

pam | ACTIVE | AUTHENTICATION | auth_pam.so | GPL

3.建立數據庫用戶並指定pam認證

CREATE USER pamuser@'localhost' IDENTIFIED VIA pam USING 'password-auth';

GRANT ALL ON test.* TO pamuser@'localhost';

FLUSH PRIVILEGES;

說明:'password-auth'是linux本地PAM模塊名稱，不一樣的發行版可能有些區別，centos7中password-auth會調用/etc/shadow中的密碼進行認證，還支持LDAP,Active Directory,smart cards,biometric scanner等認證

4.測試

root@jlive:~#mysql -upamuser

ERROR 2059 (HY000): Authentication plugin 'dialog' cannot be loaded: /usr/local/mysql/lib/plugin/dialog.so: cannot open shared object file: No such file or directory

root@jlive:~#ln -s /opt/mariadb /usr/local/mysql

root@jlive:~#ls /usr/local/mysql/lib/plugin/dialog.so

/usr/local/mysql/lib/plugin/dialog.so*

root@jlive:~#mysql -upamuser

[mariadb] Password:

ERROR 1045 (28000): Access denied for user 'pamuser'@'localhost' (using password: NO)

不過測試尚未成功，有待後續進一步研究