mysql_secure_installation脚本node
文件系统权限mysql
tree -puga /opt/mariadb/data/linux
chown -R mysql: /opt/mariadbsql
chmod -R 700 /opt/mariadb数据库
检查不安全的密码centos
SELECT @@old_passwords;
(jlive)[isfdb]>SELECT @@old_passwords;服务器
+-----------------+session
| @@old_passwords |测试
+-----------------+
|
+-----------------+
1 row in set (0.00 sec)
SELECT Host,User,Password FROM mysql.user;
(jlive)[isfdb]>SELECT Host,User,Password FROM mysql.user;
+-----------+--------+-------------------------------------------+
| Host
+-----------+--------+-------------------------------------------+
| localhost | root
| localhost | zabbix | *DEEF4D7D88CD046ECA02A803
| 127.0.0.1 | root
| ::1
| %
| localhost | foo
| localhost | sphinx | *8C702E15DB075B6094596B9A
+-----------+--------+-------------------------------------------+
7 rows in set (0.15 sec)
注意:检查密码为空或少于16位的用户
SSL加密
说明:能够用权威CA签发的SSL证书,这里建立自签名证书
1.建立CA
a.生成CA私钥(key)
root@jlive:ssl_tmp#openssl genrsa -out mariadb-ca.key 4096
Generating RSA private key, 4096 bit long modulus
.......................................................++
..............................................................................................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
b.经过CA私钥签发自签名CA公钥(pem)
root@jlive:ssl_tmp#openssl req -x509 -new -nodes -days 9999 -key mariadb-ca.key -out mariadb-ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:ca.cert.com, Ltd.
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:ca.example.com
Email Address []:ca@example.com
作实验能够随便填
2.建立服务器证书
a.生成服务器私钥(key)
root@jlive:ssl_tmp#openssl genrsa -out mariadb-server.key 4096
Generating RSA private key, 4096 bit long modulus
..........................++
...++
e is 65537 (0x10001)
b.经过服务器私钥生成证书请求文件(csr)
root@jlive:ssl_tmp#openssl req -new -key mariadb-server.key -out mariadb-server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:Tencent.com, Ltd.
Organizational Unit Name (eg, section) []:Development
Common Name (eg, your name or your server's hostname) []:jlive.example.com
Email Address []:jlive@localhost
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
提示:密码可选
c.CA签发服务器公钥(pem)
root@jlive:ssl_tmp#openssl x509 -req -set_serial 01 -days 9999 -CA mariadb-ca.pem -CAkey mariadb-ca.key -in mariadb-server.csr -out mariadb-server.pem
Signature ok
subject=/C=CN/ST=Shanghai/L=Shanghai/O=Tencent.com, Ltd./OU=Development/CN=jlive.example.com/emailAddress=jlive@localhost
Getting CA Private Key
提示:有些ssl加密通讯须要指定服务器证书的Common Name,如:grafana
server_cert_name = jlive.example.com
3.建立客户端证书
a.生成客户端私钥(key)
root@jlive:ssl_tmp#openssl genrsa -out mariadb-client.key 4096
Generating RSA private key, 4096 bit long modulus
......................................................................................................................................................................................................................................++
.....................................................................................................++
e is 65537 (0x10001)
b.经过客户端私钥生成证书请求文件(csr)
root@jlive:ssl_tmp#openssl req -new -key mariadb-client.key -out mariadb-client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:client.example.com, Ltd.
Organizational Unit Name (eg, section) []:Development
Common Name (eg, your name or your server's hostname) []:client.example.com
Email Address []:client@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
c.CA签发客户端证书(pem)
root@jlive:ssl_tmp#openssl x509 -req -set_serial 02 -days 9999 -CA mariadb-ca.pem -CAkey mariadb-ca.key -in mariadb-client.csr -out mariadb-client.pem
Signature ok
subject=/C=CN/ST=Shanghai/L=Shanghai/O=client.example.com, Ltd./OU=Development/CN=client.example.com/emailAddress=client@example.com
Getting CA Private Key
4.配置SSL认证
说明:将公私钥放到指定目录,这里放在/opt/mariadb目录下
[mysqld]
ssl-ca=/opt/mariadb/mariadb-ca.pem
ssl-key=/opt/mariadb/mariadb-server.key
ssl-cert=/opt/mariadb/mariadb-server.pem
[mysql]
ssl-ca=/opt/mariadb/mariadb-ca.pem
ssl-key=/opt/mariadb/mariadb-client.key
ssl-cert=/opt/mariadb/mariadb-client.pem
改完配置后重启才会生效
root@jlive:~#/etc/init.d/mysql restart
Restarting mysql (via systemctl):
5.测试
https://mariadb.com/kb/en/ssl-server-system-variables/
查看状态
STATUS;
SHOW VARIABLES LIKE 'have_ssl';
SHOW STATUS LIKE 'Ssl%';
root@jlive:~#mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.
Your MariaDB connection id is 23
Server version: 10.1.13-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SHOW VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl
+---------------+-------+
1 row in set (0.00 sec)
MariaDB [(none)]> SHOW STATUS LIKE 'Ssl%';
+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Variable_name
+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Ssl_accept_renegotiates
| Ssl_accepts
| Ssl_callback_cache_hits
| Ssl_cipher
| Ssl_cipher_list
| Ssl_client_connects
... ...
25 rows in set (0.01 sec)
建立用户,强制SSL认证
GRANT ALL on test.* TO 'ssluser'@'localhost'
或者严格限制签发客户端ISSUER
GRANT ALL on test.* TO 'ssluser'@'localhost'
root@jlive:~#mysql -u ssluser -p test
Enter password:
Welcome to the MariaDB monitor.
Your MariaDB connection id is 40
Server version: 10.1.13-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [test]> SHOW STATUS LIKE 'Ssl_session%';
+-----------------------------+---------+
| Variable_name
+-----------------------------+---------+
| Ssl_session_cache_hits
| Ssl_session_cache_misses
| Ssl_session_cache_mode
| Ssl_session_cache_overflows | 0
| Ssl_session_cache_size
| Ssl_session_cache_timeouts
| Ssl_sessions_reused
+-----------------------------+---------+
7 rows in set (0.00 sec)
MariaDB [test]> QUIT
Bye
root@jlive:~#mysql -u ssluser -p --skip-ssl test
Enter password:
ERROR 1045 (28000): Access denied for user 'ssluser'@'localhost' (using password: YES)
链接时还能够经过参数来指定客户端证书路径
mysql -u ssluser –ssl-ca=/opt/mariadb/mariadb-ca.pem \
--ssl-key=/opt/mariadb/mariadb-client.key \
--ssl-cert=/opt/mariadb/mariadb-client.pem test
角色控制
https://mariadb.com/kb/en/roles/
1.建立角色并受权
CREATE DATABASE IF NOT EXISTS test;
CREATE ROLE read_only;
GRANT SELECT ON test.* TO read_only;
GRANT USAGE ON test.* TO read_only;
SHOW GRANTS FOR read_only;
MariaDB [(none)]> SHOW GRANTS FOR read_only;
+-----------------------------------------+
| Grants for read_only
+-----------------------------------------+
| GRANT USAGE ON *.* TO 'read_only'
| GRANT SELECT ON `test`.* TO 'read_only' |
+-----------------------------------------+
2 rows in set (0.00 sec)
2.将角色赋予某个用户
CREATE USER test_user@'localhost' IDENTIFIED BY 'testpassword';
SHOW GRANTS FOR test_user@'localhost';
GRANT read_only TO test_user@'localhost';
SHOW GRANTS FOR test_user@'localhost';
MariaDB [(none)]> SHOW GRANTS FOR test_user@'localhost';
+------------------------------------------------------------------------------------------------------------------+
| Grants for test_user@localhost
+------------------------------------------------------------------------------------------------------------------+
| GRANT read_only TO 'test_user'@'localhost'
| GRANT USAGE ON *.* TO 'test_user'@'localhost' IDENTIFIED BY PASSWORD '*9F69E47E519D9CA02116BF57
+------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
3.测试
root@jlive:~#mysql -u test_user -p
Enter password:
Welcome to the MariaDB monitor.
Your MariaDB connection id is 67
Server version: 10.1.13-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> USE test;
ERROR 1044 (42000): Access denied for user 'test_user'@'localhost' to database 'test'
MariaDB [(none)]> SET ROLE read_only;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> USE test;
Database changed
MariaDB [test]> SELECT current_role();
+----------------+
| current_role() |
+----------------+
| read_only
+----------------+
1 row in set (0.00 sec)
MariaDB [test]> SELECT current_user();
+---------------------+
| current_user()
+---------------------+
| test_user@localhost |
+---------------------+
1 row in set (0.00 sec)
MariaDB [test]> SHOW GRANTS;
+------------------------------------------------------------------------------------------------------------------+
| Grants for test_user@localhost
+------------------------------------------------------------------------------------------------------------------+
| GRANT read_only TO 'test_user'@'localhost'
| GRANT USAGE ON *.* TO 'test_user'@'localhost' IDENTIFIED BY PASSWORD '*9F69E47E519D9CA02116BF57
| GRANT USAGE ON *.* TO 'read_only'
| GRANT SELECT ON `test`.* TO 'read_only'
+------------------------------------------------------------------------------------------------------------------+
4 rows in set (0.00 sec)
PAM认证
https://mariadb.com/kb/en/pam-authentication-plugin/
以CentOS 7.1 x64为例
1.建立本地用户
useradd -s /sbin/nologin pamuser
echo pamuser:pampassword|chpasswd
2.安装pam认证插件
INSTALL SONAME 'auth_pam';
pam
3.建立数据库用户并指定pam认证
CREATE USER pamuser@'localhost' IDENTIFIED VIA pam USING 'password-auth';
GRANT ALL ON test.* TO pamuser@'localhost';
FLUSH PRIVILEGES;
说明:'password-auth'是linux本地PAM模块名称,不一样的发行版可能有些区别,centos7中password-auth会调用/etc/shadow中的密码进行认证,还支持LDAP,Active Directory,smart cards,biometric scanner等认证
4.测试
root@jlive:~#mysql -upamuser
ERROR 2059 (HY000): Authentication plugin 'dialog' cannot be loaded: /usr/local/mysql/lib/plugin/dialog.so: cannot open shared object file: No such file or directory
root@jlive:~#ln -s /opt/mariadb /usr/local/mysql
root@jlive:~#ls /usr/local/mysql/lib/plugin/dialog.so
/usr/local/mysql/lib/plugin/dialog.so*
root@jlive:~#mysql -upamuser
[mariadb] Password:
ERROR 1045 (28000): Access denied for user 'pamuser'@'localhost' (using password: NO)
不过测试尚未成功,有待后续进一步研究