Ubuntu MySQL数据库安全加固指南
首先,通过Ubuntu官方APT仓库安装MySQL服务器,确保获取最新的安全补丁和功能优化:
sudo apt update
sudo apt install mysql-server
安装完成后,立即通过mysql_secure_installation脚本完成初始安全配置(包括设置root密码、删除匿名用户、禁止远程root登录、删除测试数据库等)。
执行mysql_secure_installation工具,完成以下关键操作:
DELETE FROM mysql.user WHERE User='');UPDATE mysql.user SET Host='localhost' WHERE User='root'; FLUSH PRIVILEGES;);test数据库(DROP DATABASE IF EXISTS test;);FLUSH PRIVILEGES;)。newuser),并限制其访问范围(如仅允许本地访问):CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'StrongPassword123!';
GRANT SELECT, INSERT, UPDATE ON mydatabase.* TO 'newuser'@'localhost';
FLUSH PRIVILEGES;
SELECT、INSERT而非ALL PRIVILEGES)。为防止数据在传输过程中被窃取,启用MySQL SSL加密:
sudo apt install openssl;openssl genpkey -algorithm RSA -out /etc/mysql/mysql_private.key -aes256
openssl req -new -key /etc/mysql/mysql_private.key -out /etc/mysql/mysql_csr.csr
openssl x509 -req -days 365 -in /etc/mysql/mysql_csr.csr -signkey /etc/mysql/mysql_private.key -out /etc/mysql/mysql_certificate.crt
/etc/mysql/mysql.conf.d/mysqld.cnf),在[mysqld]部分添加:ssl-ca = /etc/mysql/mysql_certificate.crt
ssl-cert = /etc/mysql/mysql_certificate.crt
ssl-key = /etc/mysql/mysql_private.key
sudo systemctl restart mysql。使用ufw(Uncomplicated Firewall)限制对MySQL端口(默认3306)的访问,仅允许信任的IP地址连接:
sudo ufw allow from <trusted_ip> to any port 3306/tcp
sudo ufw enable
若无需远程访问,可直接禁止3306端口:sudo ufw deny 3306/tcp。
/etc/mysql/mysql.conf.d/mysqld.cnf的[mysqld]部分添加local-infile=0,防止MySQL读取本地文件(如LOAD DATA LOCAL INFILE命令);[mysqld]
port = 37777
修改后重启MySQL服务。
/etc/mysql/mysql.conf.d/mysqld.cnf中添加log_bin = /var/log/mysql/mysql-bin.log,记录所有数据库变更操作,便于故障恢复和审计;slow_query_log = 1、long_query_time = 2(超过2秒的查询视为慢查询),帮助识别性能瓶颈和潜在攻击;grep、awk等工具分析日志,及时发现异常登录(如频繁的失败登录尝试)或恶意操作。sudo apt update && sudo apt upgrade mysql-server,安装最新的安全补丁,修复已知漏洞;mysqldump工具定期备份数据库(如每日备份),并将备份文件存储在安全的位置(如异地服务器或云存储):mysqldump -u root -p mydatabase > /backups/mydatabase_$(date +%F).sql
SET GLOBAL validate_password.policy = MEDIUM; -- 密码需包含大小写字母、数字和特殊字符
SET GLOBAL validate_password.length = 12; -- 密码最小长度为12位
remote_user)并授予特定权限,而非直接使用root账户。
