1、密码复杂度
MySQL 系统自带有 validate_password 插件,此插件可以验证密码强度,未达到规定强度的密码则不允许被设置。MySQL 5.7 及 8.0 版本默认情况下都不启用该插件。
#登录mysql
mysql -uroot -pfbLfJZ1sFMAw
#查看是否已安装此插件,为空则说明未安装此插件
SHOW VARIABLES LIKE 'validate_password%';
#安装 validate_password 插件,通过 INSTALL PLUGIN 命令可安装此插件,每个平台的文件名后缀都不同 对于 Unix 和类 Unix 系统,为.so,对于 Windows 为.dll
mysql> INSTALL PLUGIN validate_password SONAME 'validate_password.so';
+--------------------------------------+--------+
| Variable_name | Value |
+--------------------------------------+--------+
| validate_password_check_user_name | OFF |
| validate_password_dictionary_file | |
| validate_password_length | 8 |
| validate_password_mixed_case_count | 1 |
| validate_password_number_count | 1 |
| validate_password_policy | MEDIUM |
| validate_password_special_char_count | 1 |
+--------------------------------------+--------+
#参数介绍
validate_password_check_user_name:
设置为ON,表示能将密码设置为当前用户名
validate_password_policy:
代表的密码策略,默认是MEDIUM 可配置的值有以下:
0 or LOW 仅需需符合密码长度(由参数validate_password_length指定)
1 or MEDIUM 满足LOW策略,同时还需满足至少有1个数字,小写字母,大写字母和特殊字符
2 or STRONG 满足MEDIUM策略,同时密码不能存在字典文件(dictionary file)中
validate_password_dictionary_file:
用于配置密码的字典文件,当validate_password_policy设置为STRONG时可以配置密码字典文件,字典文件中存在的密码不得使用
validate_password_length:
用来设置密码的最小长度,默认值是8
validate_password_mixed_case_count:
当validate_password_policy设置为MEDIUM或者STRONG时,密码中至少同时拥有的小写和大写字母的数量,默认是1最小是0;默认是至少拥有一个小写和一个大写字母。
validate_password_number_count:
当validate_password_policy设置为MEDIUM或者STRONG时,密码中至少拥有的数字的个数,默认1最小是0
validate_password_special_char_count:
当validate_password_policy设置为MEDIUM或者STRONG时,密码中至少拥有的特殊字符的个数,默认1最小是0
###整改设置:
set global validate_password_length = 10;
set global validate_password_mixed_case_count =1;
set global validate_password_number_count = 1;
set global validate_password_policy = MEDIUM;
set global validate_password_special_char_count = 1;
##binlog日志的保存时间
show variables like 'expire_logs_days';
set global expire_logs_days = 15;2、登录失败处理功能
#查看登录失败变量
show variables like "connection_control%";
#登陆失败次数限制
set global connection_control_failed_connections_threshold = 3;
#查看超时设置
SHOW global variables LIKE '%timeout';
+------------------------------+---------------------+
| Variable_name | Value |
+------------------------------+---------------------+
| connect_timeout | 10 |
| delayed_insert_timeout | 300 |
| have_statement_timeout | YES |
| innodb_flush_log_at_timeout | 1 |
| innodb_lock_wait_timeout | 50 |
| innodb_rollback_on_timeout | OFF |
| interactive_timeout | 28800 |
| lock_wait_timeout | 31536000 |
| net_read_timeout | 30 |
| net_write_timeout | 60 |
| rpl_semi_sync_master_timeout | 1000000000000000000 |
| rpl_stop_slave_timeout | 31536000 |
| slave_net_timeout | 60 |
| thread_pool_idle_timeout | 60 |
| wait_timeout | 28800 |
+------------------------------+---------------------+
###整改设置:
#设置连接超时时间为10
set global connect_timeout = 10;
#设置空闲超时时间为600
set global
interactive_timeout = 600;3、相关ssl参数
#查看ssl
相关ssl参数
show variables like '%ssl%';
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ca.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /var/lib/mysql/server-key.pem |
+---------------+--------------------------------+
#查看是否开启强制SSL/TLS通信 (和产研确定是否开启此项)
SHOW variables LIKE 'require_secure_transport';4、mysql审计配置
#查询审计配置情况
show global variables like 'log_timestamps';
+----------------+--------+
| Variable_name | Value |
+----------------+--------+
| log_timestamps | SYSTEM |
+----------------+--------+
show global variables like '%general%';
+------------------+-------------------------------+
| Variable_name | Value |
+------------------+-------------------------------+
| general_log | OFF |
| general_log_file | /var/lib/mysql/mysql-ha-0.log |
+------------------+-------------------------------+
###整改配置:
set global general_log = on;
set global general_log_file = /var/lib/mysql/mysql-ha-0.log; #不用执行
set global log_timestamps = SYSTEM; #不用执行5、创建审计用户
CREATE USER 'audit'@'localhost' IDENTIFIED BY 'Shujushenji@_01';
grant select on *.* to 'audit'@'localhost';6、在mysqld的配置文件下方添加插件和插件配置
- plugin-load-add 添加了两个MySQL插件:connection_control.so和validate_password.so
- validate_password_policy 设置密码策略为1
- validate-password 设置密码强度检查等级为FORCE_PLUS_PERMANENT
- connection-control 启用了连接控制特性,被尝试攻击的客户端将暂时封禁
- connection-control-failed-login-attempts 设置在启用连接控制的情况下允许多少次失败登录尝试
- connection_control_min_connection_delay 和 connection_control_max_connection_delay 分别设置了连接控制的最小和最大延迟时间
- connection_control_failed_connections_threshold 设置了在每个IP地址上启用连接控制之前必须有多少个失败连接尝试
- default_password_lifetime 设置默认密码过期时间为90天
[mysqld]
default_storage_engine=InnoDB
max_connections=65535
audit_log_rotate_on_size=104857600
audit_log_rotations=3
plugin-load-add=connection_control.so
plugin-load-add=validate_password.so
validate_password_policy=1
validate-password=FORCE_PLUS_PERMANENT
connection-control=FORCE
connection-control-failed-login-attempts=FORCE
connection_control_min_connection_delay=1800000
connection_control_max_connection_delay=86400
connection_control_failed_connections_threshold=5
default_password_lifetime=90
validate_password_check_user_name=ON7、重启后进入mysql查看配置是否加载成功
show variables like 'validate%';
show global variables like 'default_password_lifetime';
show variables like "%connection_control%";© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容