百度云观测提示云上小悟网站3306端口存在安全隐患:
漏洞描述
MySQL,3306端口,内部敏感服务对外开放存在风险,容易引起安全问题
影响版本
无
漏洞等级
中危
修复方案
关闭远程访问或限制访问该服务的IP地址
彻底解决这个问题有两个环节:
2, 关闭MySQL的3306端口。
本文说明第2点。
如何关闭MySQL的3306端口
修改MySQL的my.cnf文件,在文件中打开skip-networking这一行配置(没有这个配置,就自己增加这一行)。
修改好之后保存,然后重启mysql服务。
云上小悟修改后的my.cnf文件内容,供参考:
# For advice on how to change settings please see
# http://dev.mysql.com/doc/refman/5.6/en/server-configuration-defaults.html
# *** DO NOT EDIT THIS FILE. It's a template which will be copied to the
# *** default location during install, and will be replaced if you
# *** upgrade to a newer version of MySQL.
[mysqld]
skip-networking
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
innodb_buffer_pool_size = 16M
performance_schema_max_table_instances=200
table_definition_cache=400
table_open_cache=64
# Remove leading # to turn on a very important data integrity option: logging
# changes to the binary log between backups.
# log_bin
# These are commonly set, remove the # and set as required.
basedir = /usr/local/mysql
datadir = /usr/local/mysql/data
# port = .....
# server_id = .....
# socket = .....
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M
sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
大部分都是默认配置。
最后,可以使用tcping来检查3306端口是否关闭成功。
你可能会遇到找不到my.cnf文件的困扰:请参考:查看MySQL使用的配置文件my.cnf的位置?
解决百度云观察提到的安全隐患,还可以通过修改MySQL的对外端口号,以及限制可访问的ip的方式来实现。
对应的配置命令(my.cnf)分别是port和bind-address。
本网站使用单机版的MySQL就足够了,所以直接关闭3306端口。