最近工作中涉及安全问题,需要检测各种数据库用户和权限是否安全,整理下常用命令。
1,当然是要先知道mysql有那些用户才好做下一步检查喽。检查所有MySQL用户
mysql> SELECT DISTINCT CONCAT('User: ''',user,'''@''',host,''';') AS query FROM mysql.user;
+-----------------------------------+
| query |
+-----------------------------------+
| User: 'slave'@'%'; |
| User: 'root'@'127.0.0.1'; |
| User: 'root'@'::1'; |
| User: 'mysql_backup'@'localhost'; |
| User: 'root'@'localhost'; |
+-----------------------------------+
5 rows in set (0.00 sec)
哇,所有用户都出来了,包括允许哪些ip访问,@''后面就是 host啦 , %代表任何ip都可以访问,127和localhost当然是只能本地访问。
2,检查出来用户以后我们当然要知道他们都有什么权限咯,一切为了安全么。检查每个用户权限
+--------------------------------------------------------------------------------------------------------------------------------------+
| Grants for slave@% |
+--------------------------------------------------------------------------------------------------------------------------------------+
| GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'slave'@'%' IDENTIFIED BY PASSWORD '*F667FA72F8DDCB1733B52150E4FAE70BD5086720' |
+--------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
3,发现不靠谱的用户直接干掉~!!删除Mysql用户。创建删除用户
先创建个用户:mysql> CREATE USER 'test'@'%' IDENTIFIED BY '123123'; #test用户名 %代表允许任何ip访问 123123是密码
删除账户及权限: mysql> drop user 'test2'@'%';