当前位置: 代码迷 >> MySQL >> 增强MySQL用户安全
  详细解决方案

增强MySQL用户安全

热度:188   发布时间:2016-05-05 16:40:49.0
加强MySQL用户安全
     很多亲们在安装好了MySQL数据库之后,对于mysql用户表并没有做任何特殊的处理,因此缺省情况下,存在密码为空的用户,也有很多用户名和密码都为空的情形,我们称之为双空用户。这种情形下的登录,在此统称为异常登陆。对于生产环境的数据库来说,这会带来一些不确定的安全隐患。下面是关于这个问题的描述以及清理掉无关用户的方法。
    有关mysql用户相关参考:
MySQL 用户与权限管理
MySQL 修改用户密码及重置root密码

1、演示异常登录
a、演示双空用户登陆[[email protected] ~]# mysql -uroot -pEnter password: ([email protected]) [(none)]> show variables like 'version';+---------------+--------+| Variable_name | Value  |+---------------+--------+| version       | 5.6.26 |+---------------+--------+([email protected]) [(none)]> select user,host,password from mysql.user;+-------+-------------+-------------------------------------------+| user  | host        | password                                  |+-------+-------------+-------------------------------------------+| root  | localhost   | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA || root  | xlkoracel   |                                           || root  | 127.0.0.1   |                                           || root  | ::1         |                                           ||       | localhost   |                                           ||       | xlkoracel   |                                           || mycat | localhost   | *975B2CD4FF9AE554FE8AD33168FBFC326D2021DD || mycat | 192.168.1.% | *975B2CD4FF9AE554FE8AD33168FBFC326D2021DD || mycat | 192.168.%.% | *975B2CD4FF9AE554FE8AD33168FBFC326D2021DD || root  | 192.168.%.% | *E74858DB86EBA20BC33D0AECAE8A8108C56B17FA |+-------+-------------+-------------------------------------------+([email protected]) [(none)]> -- 可以看到存在用户名和密码同时为空的情形([email protected]) [(none)]> -- 退出后尝试使用任意用户名登录([email protected]) [(none)]> exitBye[[email protected] ~]# mysql -uxx ###无需指定密码参数-p([email protected]) [(none)]> -- 可以成功登陆([email protected]) [(none)]> -- 下面查看一下自身的权限([email protected]) [(none)]> show grants;  --当前只有usage权限+--------------------------------------+| Grants for @localhost                |+--------------------------------------+| GRANT USAGE ON *.* TO ''@'localhost' |+--------------------------------------+([email protected]) [(none)]> show databases;+--------------------+| Database           |+--------------------+| information_schema || test               |+--------------------+([email protected]) [(none)]> use test;Database changed([email protected]) [test]> show tables;Empty set (0.00 sec)([email protected]) [test]> create table t(id int);Query OK, 0 rows affected (0.14 sec)([email protected]) [test]> insert into t values(1);Query OK, 1 row affected (0.01 sec)([email protected]) [test]> select * from t;+------+| id   |+------+|    1 |+------+1 row in set (0.00 sec)([email protected]) [test]> --从上可以看出,usage权限已经可以完成很多任务([email protected]) [test]> use infromation_schema;ERROR 1044 (42000): Access denied for user ''@'localhost' to database 'infromation_schema'([email protected]) [test]> exit;b、演示密码为空的用户登陆[[email protected] ~]# mysql -uroot -hxlkoracel  ###注,此时也无需指定参数-p  ([email protected]) [(none)]> --可以成功登陆([email protected]) [(none)]> show grants;   --查看自身权限,为ALL PRIVILEGES,权限更大+---------------------------------------------------------------------+| Grants for [email protected]                                           |+---------------------------------------------------------------------+| GRANT ALL PRIVILEGES ON *.* TO 'root'@'xlkoracel' WITH GRANT OPTION || GRANT PROXY ON ''@'' TO 'root'@'xlkoracel' WITH GRANT OPTION        |+---------------------------------------------------------------------+
2、清理异常用户
[[email protected] ~]# mysql -uroot -pEnter password: ([email protected]) [(none)]> select user,host,password from mysql.user    -> where (user is null or user='') and (password is null or password='');+------+-----------+----------+| user | host      | password |+------+-----------+----------+|      | localhost |          ||      | xlkoracel |          |+------+-----------+----------+2 rows in set (0.01 sec)([email protected]) [(none)]> -- Author : Leshami([email protected]) [(none)]> -- Blog   : http://blog.csdn.net/leshami([email protected]) [(none)]> -- 使用drop 方式清理用户([email protected]) [(none)]> drop user ''@'localhost';Query OK, 0 rows affected (0.24 sec)([email protected]) [(none)]> select user,host,password from mysql.user    -> where (user is null or user='') and (password is null or password='');+------+-----------+----------+| user | host      | password |+------+-----------+----------+|      | xlkoracel |          |+------+-----------+----------+1 row in set (0.00 sec)([email protected]) [(none)]> -- 直接用delete从mysql.user表清理用户([email protected]) [(none)]> delete from mysql.user    -> where (user is null or user='') and (password is null or password='');Query OK, 1 row affected (0.06 sec)([email protected]) [(none)]> -- 直接用delete从mysql.user表清理所有密码为空的用户([email protected]) [(none)]> delete from mysql.user where password is null or password='';Query OK, 3 rows affected (0.00 sec)

3、小结
a、对于部署到生产环境的mysql服务器建议清理所有密码为空的用户以及双空用户
b、建议清理前先备份,使用drop user方式来清理用户更稳妥

版权声明:本文为博主原创文章,未经博主允许不得转载。

1楼mayfla4天前 19:29
安全很重要
  相关解决方案

代码迷 - 您身边的软件异常,代码异常,编程异常助手(发现,解决,分享)
Copyright © 2009-2013 DAIMAMI.COM. All rights reserved.