修改默认 root 密码并禁用空密码登录
MySQL 5.7+ 安装后,
root用户可能没有密码,或密码由系统自动生成并写入
/var/log/mysqld.log。直接暴露无密码
root是最大风险点。 先查日志获取临时密码:
sudo grep 'temporary password' /var/log/mysqld.log登录后立即改密:
ALTER USER 'root'@'localhost' IDENTIFIED BY 'StrongPass123!';确认
plugin不是
auth_socket(Ubuntu/Debian 常见):
SELECT user, host, plugin FROM mysql.user WHERE user='root';;若是,执行:
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'StrongPass123!';删掉所有空密码用户:
DELETE FROM mysql.user WHERE authentication_string = '' OR password_expired = 'Y'; FLUSH PRIVILEGES;
删除匿名用户、测试库和非必要远程访问
默认安装常附带
''@'localhost'匿名用户、
test库,以及允许
root从任意主机登录的账户(如
'root'@'%'),这些都应清理。 删匿名用户:
DELETE FROM mysql.user WHERE user = '';删测试库:
DROP DATABASE IF EXISTS test;,再删对应权限:
DELETE FROM mysql.db WHERE db LIKE 'test%';禁止 root 远程登录(除非真需要):
DELETE FROM mysql.user WHERE user='root' AND host != 'localhost';执行
FLUSH PRIVILEGES;生效
限制用户权限范围:最小权限原则
生产环境绝不应让业务用户拥有
GRANT OPTION、
FILE、
PROCESS或跨库操作权限。常见错误是用
CREATE USER 'app'@'%' IDENTIFIED BY 'xxx'; GRANT ALL ON *.* TO 'app'@'%';。 创建专用用户时指定明确主机:
CREATE USER 'app'@'10.20.30.%' IDENTIFIED BY 'AppPass456!';(避免用
%) 只授业务所需库表权限:
GRANT SELECT, INSERT, UPDATE ON myapp_db.* TO 'app'@'10.20.30.%';禁用高危权限:
REVOKE FILE, SHUTDOWN, SUPER, PROCESS ON *.* FROM 'app'@'10.20.30.%';确认无越权:
SHOW GRANTS FOR 'app'@'10.20.30.%';
启用强制密码策略与连接加密
MySQL 默认不强制密码复杂度,且通信明文传输。这两项必须手动开启,否则加固效果大打折扣。
加载密码校验插件(5.7+):INSTALL PLUGIN validate_password SONAME 'validate_password.so';设策略等级:
SET GLOBAL validate_password.policy = MEDIUM;(会要求大小写字母+数字+特殊字符,长度 ≥ 8) 生成 SSL 证书(或用
mysql_ssl_rsa_setup工具),然后在
my.cnf中启用:
[mysqld] ssl-ca=/var/lib/mysql/ca.pem ssl-cert=/var/lib/mysql/server-cert.pem ssl-key=/var/lib/mysql/server-key.pem强制客户端加密连接:
ALTER USER 'app'@'10.20.30.%' REQUIRE SSL;
实际部署中,最常被跳过的一步是检查
bind-address—— 很多用户改完权限却忘了在
my.cnf里把
bind-address = 127.0.0.1(或具体内网 IP)设死,导致 MySQL 仍监听
0.0.0.0暴露在公网。
