MySQL mysql_secure_installation安全脚本执行
MySQL安装完成后,有一件事千万别偷懒:跑一遍安全脚本。默认安装留下的匿名用户、测试数据库和弱密码配置,在生产环境里就是一颗定时冲击波。`mysql_secure_installation`这个官方提供的交互式脚本,帮你一口气搞定下面这些核心安全加固任务: - 设置 MySQL root 用户密码 - 删除匿名用户 - 禁止 root 用户远程登录 - 删除测试数据库 - 重新加载权限表 下面就来一步步走通整个流程。
步骤 1
启动 mysql_secure_installation 脚本
打开终端,直接执行以下命令:sudo mysql_secure_installation
步骤 2
输入当前的 MySQL root 密码
如果是首次安装,root用户默认没有密码,直接按 Enter 跳过就行。如果之前设过密码,就输入当前的。步骤 3
设置新的 root 密码
脚本会询问是否需要设置新root密码。如果当前没有密码,强烈建议设一个强密码。输入Y并按Enter,然后根据提示完成密码设置。步骤 4
删除匿名用户
默认安装会创建一个匿名用户,任何人只要知道IP就能空密码登录。输入Y并按Enter,直接移除这个风险点。步骤 5
禁止 root 用户远程登录
限制root只能从本地连接,能有效防止密码被暴力猜解。输入Y并按Enter。步骤 6
删除测试数据库
名为`test`的测试数据库默认对所有人开放权限,上线前必须删掉。输入Y并按Enter。步骤 7
重新加载权限表
所有修改完,最后一步是让权限表立即生效。输入Y并按Enter,完成收尾。完整示例
下面是执行脚本时的一组典型输出,标注了每个环节需要注意的选项:Securing the MySQL server deployment. Enter password for user root: (输入当前的 root 密码或直接按 Enter 如果没有密码) The existing password for the user account root has expired. Please set a new password. New password: (输入新的 root 密码) Re-enter new password: (重新输入新的 root 密码) VALIDATE PASSWORD PLUGIN can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD plugin? Press y|Y for Yes, any other key for No: Y (根据需要选择是否启用密码验证插件) Please set the password validation policy: LOW Length >= 8 MEDIUM Length >= 8, numeric, mixed case, and special characters STRONG Length >= 8, numeric, mixed case, special characters and dictionary file Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1 (选择密码验证策略) Using existing password for root. Estimated strength of the password: 100 Change the password for root ? ((Press y|Y for Yes, any other key for No) : N (如果刚刚设置了密码,这里选择 N) … skipping. By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without ha ving to ha ve a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? (Press y|Y for Yes, any other key for No) : Y (删除匿名用户) Success. Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Y (禁止 root 用户远程登录) Success. By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y (删除测试数据库) Dropping test database… Success. Removing privileges on test database… Success. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y (重新加载权限表) Success. All done!到这一步,MySQL的安全基础就扎稳了。把这些设置纳入你的初始化流程,能少踩很多坑。
