root權限丟失
今天本來是想把root修改成別的名字 哪知道是直接創建一個用戶,然後root給我刪除了,啥權限都沒了,user表 權限全是n,我當時連user表都給我清空了害怕衝突
TRUNCATE TABLE user; 清空user表數據
insertintomysql.user(Host,User,Password)values("localhost","root","****"); //插入數據
mysql> select* from user; +-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+ | Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | +-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+ | localhost | root | ***** | N | N | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | +-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+ 1 row inset(0.00 sec)
權限全部變成N了,想做啥都是報錯,更新 查詢 刪除。。。沒權限,怎麼辦了
首先殺死
killall mysql kiall mysqld 後臺啓動bin/mysqld_safe--user=mysql --skip-grant-table --skip-networking
屏蔽權限。
use mysql 先開始更新還是報錯 所以先修改更新權限 update user setUpdate_priv ='Y'where user = 'root'; 如果root 沒有所有數據的權限 update user setSelect_priv ='Y'where user = 'root'; update user setInsert_priv ='Y'where user = 'root'; update user setUpdate_priv ='Y'where user = 'root'; update user setDelete_priv ='Y'where user = 'root'; update user setCreate_priv ='Y'where user = 'root'; update user setDrop_priv ='Y'where user = 'root'; update user setReload_priv ='Y'where user = 'root'; update user setShutdown_priv ='Y'where user = 'root'; update user setProcess_priv ='Y'where user = 'root'; update user setFile_priv ='Y'where user = 'root'; update user setGrant_priv ='Y'where user = 'root'; update user setReferences_priv ='Y'where user = 'root'; update user setIndex_priv ='Y'where user = 'root'; update user setAlter_priv ='Y'where user = 'root'; update user setShow_db_priv ='Y'where user = 'root'; update user setSuper_priv ='Y'where user = 'root'; update user setCreate_tmp_table_priv ='Y'where user = 'root'; update user setLock_tables_priv ='Y'where user = 'root'; update user setExecute_priv ='Y'where user = 'root'; update user setRepl_slave_priv ='Y'where user = 'root'; update user setRepl_client_priv ='Y'where user = 'root'; update user setCreate_view_priv ='Y'where user = 'root'; update user setShow_view_priv ='Y'where user = 'root'; update user setCreate_routine_priv ='Y'where user = 'root'; update user setAlter_routine_priv ='Y'where user = 'root'; update user setCreate_user_priv ='Y'where user = 'root'; update user setEvent_priv ='Y'where user = 'root'; update user setTrigger_priv ='Y'where user = 'root';
Select_priv。確定用戶是否可以通過SELECT命令選擇數據。 Insert_priv。確定用戶是否可以通過INSERT命令插入數據。 Update_priv。確定用戶是否可以通過UPDATE命令修改現有數據。 Delete_priv。確定用戶是否可以通過DELETE命令刪除現有數據。 Create_priv。確定用戶是否可以創建新的數據庫和表。 Drop_priv。確定用戶是否可以刪除現有數據庫和表。 Reload_priv。確定用戶是否可以執行刷新和重新加載MySQL所用各種內部緩存的特定命令,包括日誌、權限、主機、查詢和表。 Shutdown_priv。確定用戶是否可以關閉MySQL服務器。在將此權限提供給root賬戶之外的任何用戶時,都應當非常謹慎。 Process_priv。確定用戶是否可以通過SHOW PROCESSLIST命令查看其他用戶的進程。 File_priv。確定用戶是否可以執行SELECT INTO OUTFILE和LOAD DATA INFILE命令。 Grant_priv。確定用戶是否可以將已經授予給該用戶自己的權限再授予其他用戶。例如,如果用戶可以插入、選擇和刪除foo數據庫中的信息,並且授予了GRANT權限,則該用戶就可以將其任何或全部權限授予系統中的任何其他用戶。 References_priv。目前只是某些未來功能的佔位符;現在沒有作用。 Index_priv。確定用戶是否可以創建和刪除表索引。 Alter_priv。確定用戶是否可以重命名和修改表結構。 Show_db_priv。確定用戶是否可以查看服務器上所有數據庫的名字,包括用戶擁有足夠訪問權限的數據庫。可以考慮對所有用戶禁用這個權限,除非有特別不可抗拒的原因。 Super_priv。確定用戶是否可以執行某些強大的管理功能,例如通過KILL命令刪除用戶進程,使用SET GLOBAL修改全局MySQL變量,執行關於複製和日誌的各種命令。 Create_tmp_table_priv。確定用戶是否可以創建臨時表。 Lock_tables_priv。確定用戶是否可以使用LOCK TABLES命令阻止對錶的訪問/修改。 Execute_priv。確定用戶是否可以執行存儲過程。此權限只在MySQL 5.0及更高版本中有意義。 Repl_slave_priv。確定用戶是否可以讀取用於維護複製數據庫環境的二進制日誌文件。此用戶位於主系統中,有利於主機和客戶機之間的通信。 Repl_client_priv。確定用戶是否可以確定複製從服務器和主服務器的位置。
setpassword for'root'@'localhost'=password('****'); GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'WITH GRANT OPTION ; flush privileges; bye 更新密碼
謹慎操作 delete from user where not(host="localhost"and user="root"); flush privileges;
現在再來查看下
mysql> select* from user; +-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+ | Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | +-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+ | localhost | root | *01540717ECF753C83ECBAD389C3CE2291FDD5BD4 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | +-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+ 1 row inset(0.00 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'WITH GRANT OPTION ; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> grant all on *.* to 'root'@'%'identified by '****'; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec)
都可以了
mysql目錄權限
cpsuport-files/my-medium.cnf /etc/my.cnf //修改目錄權限 chownroot:mysql /etc/my.cnf chmod644 /etc/my.cnf
mysql安全設置
1.禁止遠程連接mysql
因爲我們的mysql只需要本地的php腳本進行連接,所以我們無需開socket進行監聽,那麼我們完全可以關閉監聽的功能。
* 配置my.cnf文件,在[mysqld]部分添加 skip-networking 參數
BLOB:
MySQL的四種BLOB類型
類型 大小(單位:字節)
TinyBlob 最大 255
Blob 最大 65K
MediumBlob 最大 16M
LongBlob 最大 4G
2.刪除默認的數據庫和用戶
drop database test;
use mysql;
delete from db;
delete from user where not(host="localhost" and user="root");
flush privileges;
4. 本地文件安全:
提高本地安全性,主要是防止mysql對本地文件的存取
set-variable=local-infile=0
6.最小權限用戶:
create database db1;
grant select,insert,update,delete,create,drop privileges on database.* to user@localhost identified by 'passwd';
7. 限制普通用戶瀏覽其它數據庫,編輯my.cnf在[mysqld]添加:
--skip-show-database
8.快速修復MySQL數據庫
修復數據庫
mysqlcheck -A -o -r -p
修復指定的數據庫
mysqlcheck -o -r database -p
9.跟據內存的大小選擇MySQL的配置文件:
my-small.cnf # > my-medium.cnf # 32M - 64M
my-large.cnf # memory = 512M
my-huge.cnf # 1G-2G
my-innodb-heavy-4G.cnf # 4GB
服務器安全總結:
1.root用戶禁止使用,加深root密碼
2.定期更改數據庫的名字及管理員帳密
3.定期備份數據
4.關閉不需要的服務
5.創建一個User賬戶,運行系統
6.Nginx安全加固和優化
7.網站目錄權限設置:
(1)網站上傳目錄和數據庫目錄一般需要分配“寫入”權限,但一定不要分配執行權限
(2)其他目錄一般只分配“讀取”權限即可
8.外網只開80,其他端口沒對外開放
我們從這8個方面考慮
首先是從工具自動生成加密密碼,root禁用
2.定期給數據庫修改密碼
//進入數據庫 mysql -u root -p123456 //創建用戶 insert into mysql.user(Host,User,Password)values(“localhost”, “abc”,password(“123“); (只添加一次) //修改密碼 setpassword for'abc'@'localhost'=password('123456'); //刷新權限 flush privileges; //授權用戶擁有權限center數據庫所有權限(center 根據數據庫名稱修改) grant all privileges on center.* to abc@localhost identified by '123456'; #刷新權限 flush privileges;
修改root賬戶,改變默認mysql管理員的名稱這個工作是可以選擇的,根據個人習慣,因爲默認的mysql的管理員名稱是root,所以如果能夠修改的話,能夠防止一些腳本小子對系統的窮舉。我們可以直接修改數據庫
update mysql.user setuser="abc"where user="root"; flush privileges;
3.定期備份數據是最重要的(後面附上腳本)
4.關閉不需要的服務(腳本附上)
5.創建普通用戶(腳本附上)
6.nginx加固
(這裏配置文件直接在服務器部署時寫入腳本里無需修改) (1).修改php.ini文件,將cgi.fix_pathinfo的值設置爲0; 安全漏洞 (2).徹底隱藏NGinx版本號的安全 vim nginx.conf 在http {—}里加上server_tokens off; 如: http { ……省略 sendfile on; tcp_nopush on; keepalive_timeout 60; tcp_nodelay on; server_tokens off; (3)編輯php-fpm配置文件,如fastcgi.conf或fcgi.conf(這個配置文件名也可以自定義的,根據具體文件名修改): 找到: fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; 改爲: fastcgi_param SERVER_SOFTWARE nginx; (4)重新加載nginx配置: # /etc/init.d/nginx reload
服務器優化腳本
#!/bin/bash #The author:cs312779641 mkdir-p /mysqlback back=/mysqlback #創建一個普通用戶 username=1234 useradd $username echo“1234” | passwd--stdin $username #該腳本用於關閉服務器上非必須的系統服務項 #定義所要停止的服務,可以根據實際服務器應用更改 SERVICES="acpid atd auditd autofs avahi-daemon avahi-dnsconfd NetworkManager capi bluetooth cpuspeed cups dund firstboot haldaemon hidd ip6tables irda isdn mcstrans messagebus netfs netplugd nfslock pand pcscd portmap rawdevices restorecond xfs sendmail " forservice in$SERVICES do #關閉服務隨系統啓動 chkconfig $service off #停止選擇服務 service $service stop done #文件備份(實驗) name=db cd /data/ date=`date-I`; tar-zcvf /$back/$name$date.tar.gz html #數據庫備份 mysqldump --databases db -uroot -p123456 >/$back/db`date+%Y-%m-%d`.sql #清空15天以前文件 find/$back/ -mtime +15 -name "*.tar.gz"-execrm-rf {} \; find/$back/ -mtime +15 -name "*.sql"-execrm-rf {} \; #防火牆腳本 cat> /etc/sysconfig/iptables<<EOF # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT EOF service iptables restart
優化服務器,加深服務器安全,數據庫也要加深安全,對運維或者安全來講重則之重!!!