MySQL security policy of MySQL security considerations

  • 2021-01-18 06:41:42
  • OfStack

takeaway

MySQL is used in more and more business, in the key business to the data security requirements are higher, how to ensure MySQL data security?

Data security if only rely on MySQL application level is obviously not enough, is the need to protect in multiple levels, including the network, system, logic application layer, database layer, etc..
Here are some security policies we can learn from.

1. Network and system level

There are a lot of things that can be done at this level. We can take these safety requirements as standard requirements for the installation of new systems and put them into the automated installation scheme.

Put the server running MySQL on the Intranet, do not enable the public network;
If you have to enable the public network, change the sshd port to 10000 or above;
Set firewall policy to allow only trusted servers to connect to sshd and MySQL ports;

Change idrac/imm password, set GRUB password;

Set password security policy, such as PASS_MIN_LEN is not less than 8 bits, in fact, it is best to directly use a complex password to do MD5 as a formal password, 32 bit length of security is high enough;

Record the operation log into syslog and send it to remote log server, never store it only locally;

In addition to the necessary account, other are set as no login permissions;

Try to keep the server running MySQL separate from web server and app server. web server, app server process owners are not allowed to have direct access to MySQL datadir;

Disable autoindex configuration for server layer;

If possible, use https instead of http;

Key applications should be kept up to date to avoid the vulnerability risk of old versions;

Set the security policy of nginx, php and other application services, disable dangerous functions, etc.

You can consider buying some security protection, scanners and other products provided by operators;

Do not try to upload key configuration files to the public network (e.g., company project code on github as a personal project, containing Intranet account password information).

2. Logic application layer

At this level, much depends on the security awareness of operators and developers. Many low-level security vulnerabilities that could have been avoided can be dealt with at this level, such as XSS, CSRF, SQL injection vulnerabilities mentioned below.
Try not to use open source cms, blog, forums, etc. on the public network unless you have done a code security audit or have a security policy in place. This kind of system 1 is usually the focus of the hacker research object, is easy to be engaged;

In the web server layer, you can use some security modules, such as WAF module of nginx;

In app server layer, code security audit and security scan can be done to prevent XSS attack, CSRF attack, SQL injection, file upload attack, bypass cookie detection and other security vulnerabilities;

Applications involving account passwords, such as JDBC connection string configuration, try to use the plaintext password encrypted storage, and then use internal private decryption tools for anti-decryption. Alternatively, you can let the application connect to proxy layer with an intermediate account first, and then connect to MySQL by proxy, avoiding direct connection to MySQL by the application layer.

The application layer enables key logging, such as transaction logging, to facilitate subsequent reconciliation.

3. MySQL database layer

If the previous layers are not safe enough, in this layer is almost at risk. But there are things we can do.

Enable safe-update option to avoid full table data without WHERE condition being modified;

The binlog storage cycle is lengthened to facilitate the follow-up audit and review;

SELECT, UPDATE, INSERT, DELETE, UPDATE, INSERT, DELETE Change the logic that requires DELETE permissions to UPDATE to avoid physical deletion;

Need to really delete, by DBA backup and then physical delete;

The SQL audit plugin for Percona can be used, and it is said that there are plugins for macfee;

Triggers can also be used to do some ancillary functions, such as preventing hackers from maliciously tampering with data.

4, afterword.

Data security can do a lot of things, this article is only listed 1 some relatively simple and rapid implementation of the scheme. Every enterprise should have its own security policy norms, and every participant should be in awe and strive to comply with these necessary norms, so that information security does not become empty talk.

The real data security is supported by the awareness of all people. Without this awareness, it is unreliable to rely on mechanisms, systems and tools. in


Related articles: